diff --git a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/INSTALLER b/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/INSTALLER deleted file mode 100644 index a1b589e..0000000 --- a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/INSTALLER +++ /dev/null @@ -1 +0,0 @@ -pip diff --git a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/LICENSE.txt b/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/LICENSE.txt deleted file mode 100644 index 8f71f43..0000000 --- a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/LICENSE.txt +++ /dev/null @@ -1,202 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - diff --git a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/METADATA b/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/METADATA deleted file mode 100644 index 7100189..0000000 --- a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/METADATA +++ /dev/null @@ -1,70 +0,0 @@ -Metadata-Version: 2.1 -Name: hvac -Version: 2.3.0 -Summary: HashiCorp Vault API client -Home-page: https://github.com/hvac/hvac -License: Apache-2.0 -Keywords: hashicorp,vault -Author: Ian Unruh -Author-email: ianunruh@gmail.com -Maintainer: Brian Scholer -Requires-Python: >=3.8,<4.0 -Classifier: License :: OSI Approved :: Apache Software License -Classifier: Programming Language :: Python -Classifier: Programming Language :: Python :: 3 -Classifier: Programming Language :: Python :: 3.8 -Classifier: Programming Language :: Python :: 3.9 -Classifier: Programming Language :: Python :: 3.10 -Classifier: Programming Language :: Python :: 3.11 -Classifier: Programming Language :: Python :: 3.12 -Classifier: Programming Language :: Python :: Implementation :: CPython -Provides-Extra: parser -Requires-Dist: pyhcl (>=0.4.4,<0.5.0) ; extra == "parser" -Requires-Dist: requests (>=2.27.1,<3.0.0) -Project-URL: Documentation, https://hvac.readthedocs.io/en/stable/overview.html -Project-URL: Repository, https://github.com/hvac/hvac -Description-Content-Type: text/markdown - -# hvac - -![Header image](https://raw.githubusercontent.com/hvac/hvac/main/docs/_static/hvac_logo_800px.png) - -[HashiCorp](https://hashicorp.com/) [Vault](https://www.vaultproject.io) API client for Python 3.x - -[![Build](https://github.com/hvac/hvac/actions/workflows/build-test.yml/badge.svg)](https://github.com/hvac/hvac/actions/workflows/build-test.yml) -[![Lint](https://github.com/hvac/hvac/actions/workflows/lint-and-test.yml/badge.svg)](https://github.com/hvac/hvac/actions/workflows/lint-and-test.yml) -[![codecov](https://codecov.io/gh/hvac/hvac/branch/main/graph/badge.svg)](https://codecov.io/gh/hvac/hvac) -[![Documentation Status](https://readthedocs.org/projects/hvac/badge/)](https://hvac.readthedocs.io/en/latest/?badge=latest) -[![PyPI version](https://badge.fury.io/py/hvac.svg)](https://badge.fury.io/py/hvac) -[![Twitter - @python_hvac](https://img.shields.io/twitter/follow/python_hvac.svg?label=Twitter%20-%20@python_hvac&style=social?style=plastic)](https://twitter.com/python_hvac) -[![Gitter chat](https://badges.gitter.im/hvac/community.png)](https://gitter.im/hvac/community) - -Tested against the latest release, HEAD ref, and 3 previous minor versions (counting back from the latest release) of Vault. -Current official support covers Vault v1.4.7 or later. - -> **NOTE:** Support for EOL Python versions will be dropped at the end of 2022. Starting in 2023, hvac will track -> with the CPython EOL dates. - -## Installation - -```console -pip install hvac -``` - -If you would like to be able to return parsed HCL data as a Python dict for methods that support it: - -```console -pip install "hvac[parser]" -``` - -## Documentation - -Additional documentation for this module available at: [hvac.readthedocs.io](https://hvac.readthedocs.io/en/stable/usage/index.html): - -* [Getting Started](https://hvac.readthedocs.io/en/stable/overview.html#getting-started) -* [Usage](https://hvac.readthedocs.io/en/stable/usage/index.html) -* [Advanced Usage](https://hvac.readthedocs.io/en/stable/advanced_usage.html) -* [Source Reference / Autodoc](https://hvac.readthedocs.io/en/stable/source/index.html) -* [Contributing](https://hvac.readthedocs.io/en/stable/contributing.html) -* [Changelog](https://hvac.readthedocs.io/en/stable/changelog.html) - diff --git a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/RECORD b/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/RECORD deleted file mode 100644 index 318858f..0000000 --- a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/RECORD +++ /dev/null @@ -1,142 +0,0 @@ -hvac-2.3.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4 -hvac-2.3.0.dist-info/LICENSE.txt,sha256=xllut76FgcGL5zbIRvuRc7aezPbvlMUTWJPsVr2Sugg,11358 -hvac-2.3.0.dist-info/METADATA,sha256=Yvx9ppc42yEZlnS6_aBOqMrh3SCKFn8-sStp9xPaKDk,3289 -hvac-2.3.0.dist-info/RECORD,, -hvac-2.3.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0 -hvac-2.3.0.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88 -hvac/__init__.py,sha256=25yOT_z1e3psfyL8OXfLgGkoTfQQWu4k1ywdXGZpQyU,50 -hvac/__pycache__/__init__.cpython-312.pyc,, -hvac/__pycache__/adapters.cpython-312.pyc,, -hvac/__pycache__/aws_utils.cpython-312.pyc,, -hvac/__pycache__/exceptions.cpython-312.pyc,, -hvac/__pycache__/utils.cpython-312.pyc,, -hvac/adapters.py,sha256=UepSWaL5k78gmV2LbALwtEztZa7ayNpKIlm_eAlOMJU,15613 -hvac/api/__init__.py,sha256=Vtjp1qAFqZE1N6aycW2-rlqOrTi8UqdRyIdXd7Z8c1M,423 -hvac/api/__pycache__/__init__.cpython-312.pyc,, -hvac/api/__pycache__/vault_api_base.cpython-312.pyc,, -hvac/api/__pycache__/vault_api_category.cpython-312.pyc,, -hvac/api/auth_methods/__init__.py,sha256=SLR5FKdP317oWo3855ppXUxW4KHV3BGGKciRm05LwP0,1473 -hvac/api/auth_methods/__pycache__/__init__.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/approle.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/aws.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/azure.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/cert.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/gcp.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/github.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/jwt.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/kubernetes.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/ldap.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/legacy_mfa.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/oidc.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/okta.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/radius.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/token.cpython-312.pyc,, -hvac/api/auth_methods/__pycache__/userpass.cpython-312.pyc,, -hvac/api/auth_methods/approle.py,sha256=_PslA3ElGn2w94-4C5-sF4tKufWXi1WabYcH74Lw_uY,20691 -hvac/api/auth_methods/aws.py,sha256=O2-S9VbYc4bHsmePp5MXf13bncto1yMF0pnjUt93qWM,41982 -hvac/api/auth_methods/azure.py,sha256=cW9okkmjmYoeJ8JP9MRRNUZJs46ewrWJDCMb8hOmtAQ,13324 -hvac/api/auth_methods/cert.py,sha256=0PDlcqRTjncHULN_IGfJwWs4TmWMJ0KJrh7NjJre06w,14682 -hvac/api/auth_methods/gcp.py,sha256=hUDJF59BdE_MJPMBmZx2G_jG9WJ7lnoej1QPICaL_jo,18931 -hvac/api/auth_methods/github.py,sha256=cJCg2UsCvWi6t_EnG2Es3FbUL9XrNEG3Tc3nLqyzkM8,8498 -hvac/api/auth_methods/jwt.py,sha256=IALBbMV5f3GrTMViq6qDZTrUEktrXcFbmZ65dkTstV0,19920 -hvac/api/auth_methods/kubernetes.py,sha256=hCBlt08WLB92UG3MI8J7MS7ofBWxEza0sqQdVXkwJwE,12165 -hvac/api/auth_methods/ldap.py,sha256=pWX3ntv8SD4lNsXDC4zgW-FRGioA0n9i_RNQIXebD6I,22974 -hvac/api/auth_methods/legacy_mfa.py,sha256=FZzHu0iO1Vx88DRibuwRVusSS30wvnTwiwSrIf662Vs,6552 -hvac/api/auth_methods/oidc.py,sha256=oFqH8pR8YB6rSWcAhQ9zWTtYUraeb5DFyOqb5Gy2104,8743 -hvac/api/auth_methods/okta.py,sha256=LPEculhB2hTnTvbZSz3GkGR1yv7zKFXZWbofcUxkQlc,11397 -hvac/api/auth_methods/radius.py,sha256=PHe1FMPWHNObckq0jQSvumIjKVuMF4Pj3C4g-aHuCpw,8447 -hvac/api/auth_methods/token.py,sha256=9E21XyCt8o_mpMX1HRr4vAw9FV4E2xi9N9eTTw4uUNo,25885 -hvac/api/auth_methods/userpass.py,sha256=_HP0Nw7ayOcuNQiz2V11gGv-IXdDYeG1KDqalI6FJzI,5582 -hvac/api/secrets_engines/__init__.py,sha256=AbaviTERBkdJqqrkIW07UBSysrXBNeHTiJZVDDeXN08,1712 -hvac/api/secrets_engines/__pycache__/__init__.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/active_directory.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/aws.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/azure.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/consul.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/database.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/gcp.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/identity.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/kv.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/kv_v1.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/kv_v2.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/ldap.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/pki.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/rabbitmq.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/ssh.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/transform.cpython-312.pyc,, -hvac/api/secrets_engines/__pycache__/transit.cpython-312.pyc,, -hvac/api/secrets_engines/active_directory.py,sha256=1TCgHlaI8GqbVzXUtkDe4u2CVuYcFWVUCzYUZENp6GE,7150 -hvac/api/secrets_engines/aws.py,sha256=CGSMJaijMF-rRSIxS1ljPlnYEExKENVcOKkOrC_IK68,17328 -hvac/api/secrets_engines/azure.py,sha256=dmnZbOlU0CnPRfMo6c8OqEO7vLNVIw1-CziAi7qjmmA,7356 -hvac/api/secrets_engines/consul.py,sha256=Iuz7ajKWyZNaVEOJpZgq3A_njdALXaZE7G27RkMTIl0,6728 -hvac/api/secrets_engines/database.py,sha256=Qi3CWnzQEnlZvewpdF-VQrUCl4feIZV0TCiLtZoWpR8,15199 -hvac/api/secrets_engines/gcp.py,sha256=sqmLL0nbqj-_hdeR9cpLISQ8lEsLkJlUdmfD4_yEFBg,27976 -hvac/api/secrets_engines/identity.py,sha256=lKz2F-QFDhNh0L95DdyWj3E5XF8Bj_qxWHjCtf86jgc,60046 -hvac/api/secrets_engines/kv.py,sha256=0tgk1aZnklTgnOU2a2pJknGVv6v_RDP6_6ANp3uGIZw,3000 -hvac/api/secrets_engines/kv_v1.py,sha256=nHYjfA0F9_aAGCC3eMwVjS6bQhqA0gHgZIt7P3_XgDo,5811 -hvac/api/secrets_engines/kv_v2.py,sha256=ZZuChwOPwolnuswZdo9WtQS89lMTxn-3Mt1W5xChC4U,20348 -hvac/api/secrets_engines/ldap.py,sha256=VktJ8jNLm2bUoy_Ku9SV_W-Xs7IDzsQoc2VOHzzE8f8,10096 -hvac/api/secrets_engines/pki.py,sha256=R5hwLbwhN8dzQ3DceP_NlR_OjYMcDBS-RAPc0k4kQpI,28739 -hvac/api/secrets_engines/rabbitmq.py,sha256=aT-KhKdGI7JJwBC1IbM1p79LATKOYBCQBYJSw3bIX6Y,5823 -hvac/api/secrets_engines/ssh.py,sha256=GoUOCUlZwxrTei_gs2gkqsCVGOckxFrQ9-AdrmQef9g,21482 -hvac/api/secrets_engines/transform.py,sha256=9wv-jQF7llueFJojxr1tRkc1LDJ2bHoXRJ-VNdTdgeA,45096 -hvac/api/secrets_engines/transit.py,sha256=VsIZXG2k6Oc1_WgCUOklFG-4cHkPWHWroALfmRLNX2I,52778 -hvac/api/system_backend/__init__.py,sha256=GNFcfUQBPH58-j7Y_XV7qj-b1sAme8Ke-aBV4OWU3c4,1888 -hvac/api/system_backend/__pycache__/__init__.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/audit.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/auth.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/capabilities.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/health.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/init.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/key.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/leader.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/lease.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/mount.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/namespace.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/policies.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/policy.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/quota.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/raft.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/seal.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/system_backend_mixin.cpython-312.pyc,, -hvac/api/system_backend/__pycache__/wrapping.cpython-312.pyc,, -hvac/api/system_backend/audit.py,sha256=97tMu2j3IAI5Qc7ZnZDHr64SeRxhxmWHna5iBN7JE58,3741 -hvac/api/system_backend/auth.py,sha256=txIGYVzFfl7ZSRrwQHvjsqzTQjm4pSJwlnrGFgeUsmI,9289 -hvac/api/system_backend/capabilities.py,sha256=B1o-ZoBbYpfs2a1LSEV7nhjAFqJhl7w5wY6mMcn7ymQ,1668 -hvac/api/system_backend/health.py,sha256=8OiVoqfKpRA0Bc-V9N4MVqgATt3Le0cPgmaZluMPsG8,3310 -hvac/api/system_backend/init.py,sha256=Nbh3ppRNni_vWjGYIZVnVtYYTB7DbzEH_xdwRGpigSY,6253 -hvac/api/system_backend/key.py,sha256=v6x7ZaLfPQgkj5P9txGPEZ1r8utgi6rg-MLAm1EJxQA,15889 -hvac/api/system_backend/leader.py,sha256=cdIu2SUb3y1idNapmyex8wjHDm6PA9ySWumOxDBaYdE,1235 -hvac/api/system_backend/lease.py,sha256=vJvOowbzfgJsSueL3pKMYRgXBusbLankKtNh7noOlDc,4326 -hvac/api/system_backend/mount.py,sha256=7Rrhl5vlT7QgM_D20O5RxxpHjPXNKaJgPNGaa1ODsFM,10108 -hvac/api/system_backend/namespace.py,sha256=hwbOr2dtvfj7EH0uP4l9O8rJ4GwxKtnZc1HaxDDxnls,1393 -hvac/api/system_backend/policies.py,sha256=Xf_7fXwQeY8OflkohXpc35wUrQr8n_b__ZsF865G0JM,8182 -hvac/api/system_backend/policy.py,sha256=29EYX1UxXE-vdNa2x3gdt9Mi2336qnJ1uY6Q03VxeoU,2794 -hvac/api/system_backend/quota.py,sha256=ppaVdrs46iNCfpgIj5gnH0TmQG4m9k44AgcSLIG7Mpw,3773 -hvac/api/system_backend/raft.py,sha256=san20cG6alWabdBn-uW2eWoEHGUk35YdcBPLxLJzD3E,9440 -hvac/api/system_backend/seal.py,sha256=xvIoHbNB7gaVR1uBkJnyYBb29qGI046hbibcrti3ByI,3471 -hvac/api/system_backend/system_backend_mixin.py,sha256=LXCLy-gUv0g9E3noH4m-eqOw5VCmCQjPTZZ7Lp-YBK8,265 -hvac/api/system_backend/wrapping.py,sha256=vzRitztAxnH8ameFlu9BsFeuLrRrZHPwEx8otNQuJjA,1864 -hvac/api/vault_api_base.py,sha256=W7L0_xtr0MYUQScryrH6D5pVK5PtAt-3MB4orflhqZc,479 -hvac/api/vault_api_category.py,sha256=21xWhmiQl5mbCJFX7RXxYFszZGdDiJACa4AH9QoPNzY,3678 -hvac/aws_utils.py,sha256=atwshypIx9bH1OPyWL5W_Qxxixnzdz5oY82P7bO1smQ,3607 -hvac/constants/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0 -hvac/constants/__pycache__/__init__.cpython-312.pyc,, -hvac/constants/__pycache__/approle.cpython-312.pyc,, -hvac/constants/__pycache__/aws.cpython-312.pyc,, -hvac/constants/__pycache__/azure.cpython-312.pyc,, -hvac/constants/__pycache__/client.cpython-312.pyc,, -hvac/constants/__pycache__/gcp.cpython-312.pyc,, -hvac/constants/__pycache__/identity.cpython-312.pyc,, -hvac/constants/__pycache__/transit.cpython-312.pyc,, -hvac/constants/approle.py,sha256=7-lnC94mv9dYaRdXsIO086g_MpyTzdzp0wUM1aOGfsc,220 -hvac/constants/aws.py,sha256=RBkigoImCLfqq15ewDI47vcQr1DwBw_6uvI6FSm-v18,363 -hvac/constants/azure.py,sha256=yXd1zfqqWS76BMXYk7J9EjFQ3ovJFr5aosBHDEwklcA,221 -hvac/constants/client.py,sha256=nNUZAIoPDnBQ059YfX-W4FuUdV-YyGZ41BbEmCw99eg,927 -hvac/constants/gcp.py,sha256=eTLXYmlFNO3_cI-IGk1ZD1Ghm1XJEE7Xq96fzJmvVhU,515 -hvac/constants/identity.py,sha256=O1svKIkL01h1ZkSBtSoODquVmX9U9v04re_GCIHVuoE,170 -hvac/constants/transit.py,sha256=MlUlCMDnBaq78eFUeFwB8XdjCK_D4JXprzq9i47w_TA,900 -hvac/exceptions.py,sha256=wIk8OfRLk-XYM5cb5dV6RyZ73K8uI139Anlvp-MvgcU,1550 -hvac/utils.py,sha256=DHqdUzkZTSzGX4WE0H4uQvoM5wEDUAKb7Ci0wMjHOEU,18109 -hvac/v1/__init__.py,sha256=M3AQMg1wK-qGJo8EVluw5iBQN3v9UdCPj_g2gP9zm50,17275 -hvac/v1/__pycache__/__init__.cpython-312.pyc,, diff --git a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/REQUESTED b/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/REQUESTED deleted file mode 100644 index e69de29..0000000 diff --git a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/WHEEL b/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/WHEEL deleted file mode 100644 index 3695fd1..0000000 --- a/.venv/lib/python3.12/site-packages/hvac-2.3.0.dist-info/WHEEL +++ /dev/null @@ -1,4 +0,0 @@ -Wheel-Version: 1.0 -Generator: poetry-core 1.7.0 -Root-Is-Purelib: true -Tag: py3-none-any diff --git a/.venv/lib/python3.12/site-packages/hvac/__init__.py b/.venv/lib/python3.12/site-packages/hvac/__init__.py deleted file mode 100644 index b8594ac..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/__init__.py +++ /dev/null @@ -1,3 +0,0 @@ -from hvac.v1 import Client - -__all__ = ("Client",) diff --git a/.venv/lib/python3.12/site-packages/hvac/__pycache__/__init__.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/__pycache__/__init__.cpython-312.pyc deleted file mode 100644 index 03cbdad..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/__pycache__/__init__.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/__pycache__/adapters.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/__pycache__/adapters.cpython-312.pyc deleted file mode 100644 index 6ccf146..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/__pycache__/adapters.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/__pycache__/aws_utils.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/__pycache__/aws_utils.cpython-312.pyc deleted file mode 100644 index d42beca..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/__pycache__/aws_utils.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/__pycache__/exceptions.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/__pycache__/exceptions.cpython-312.pyc deleted file mode 100644 index a3dadf6..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/__pycache__/exceptions.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/__pycache__/utils.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/__pycache__/utils.cpython-312.pyc deleted file mode 100644 index e4ab638..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/__pycache__/utils.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/adapters.py b/.venv/lib/python3.12/site-packages/hvac/adapters.py deleted file mode 100644 index 1ea601d..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/adapters.py +++ /dev/null @@ -1,419 +0,0 @@ -""" -HTTP Client Library Adapters - -""" -from abc import ABCMeta, abstractmethod - -import requests -import requests.exceptions - -from hvac import utils -from hvac.constants.client import DEFAULT_URL - - -class Adapter(metaclass=ABCMeta): - """Abstract base class used when constructing adapters for use with the Client class.""" - - @classmethod - def from_adapter( - cls, - adapter, - ): - """Create a new adapter based on an existing Adapter instance. - This can be used to create a new type of adapter that inherits the properties of an existing one. - - :param adapter: The existing Adapter instance. - :type adapter: hvac.Adapters.Adapter - """ - - return cls( - base_uri=adapter.base_uri, - token=adapter.token, - cert=adapter._kwargs.get("cert"), - verify=adapter._kwargs.get("verify"), - timeout=adapter._kwargs.get("timeout"), - proxies=adapter._kwargs.get("proxies"), - allow_redirects=adapter.allow_redirects, - session=adapter.session, - namespace=adapter.namespace, - ignore_exceptions=adapter.ignore_exceptions, - strict_http=adapter.strict_http, - request_header=adapter.request_header, - ) - - def __init__( - self, - base_uri=DEFAULT_URL, - token=None, - cert=None, - verify=True, - timeout=30, - proxies=None, - allow_redirects=True, - session=None, - namespace=None, - ignore_exceptions=False, - strict_http=False, - request_header=True, - ): - """Create a new request adapter instance. - - :param base_uri: Base URL for the Vault instance being addressed. - :type base_uri: str - :param token: Authentication token to include in requests sent to Vault. - :type token: str - :param cert: Certificates for use in requests sent to the Vault instance. This should be a tuple with the - certificate and then key. - :type cert: tuple - :param verify: Either a boolean to indicate whether TLS verification should be performed when sending requests to Vault, - or a string pointing at the CA bundle to use for verification. See http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification. - :type verify: Union[bool,str] - :param timeout: The timeout value for requests sent to Vault. - :type timeout: int - :param proxies: Proxies to use when preforming requests. - See: http://docs.python-requests.org/en/master/user/advanced/#proxies - :type proxies: dict - :param allow_redirects: Whether to follow redirects when sending requests to Vault. - :type allow_redirects: bool - :param session: Optional session object to use when performing request. - :type session: request.Session - :param namespace: Optional Vault Namespace. - :type namespace: str - :param ignore_exceptions: If True, _always_ return the response object for a given request. I.e., don't raise an exception - based on response status code, etc. - :type ignore_exceptions: bool - :param strict_http: If True, use only standard HTTP verbs in request with additional params, otherwise process as is - :type strict_http: bool - :param request_header: If true, add the X-Vault-Request header to all requests to protect against SSRF vulnerabilities. - :type request_header: bool - """ - if not session: - session = requests.Session() - session.cert, session.verify, session.proxies = cert, verify, proxies - # fix for issue 991 using session verify if set - else: - if session.verify: - # need to set the variable and not assign it to self so it is properly passed in kwargs - verify = session.verify - if session.cert: - cert = session.cert - if session.proxies: - proxies = session.proxies - - self.base_uri = base_uri - self.token = token - self.namespace = namespace - self.session = session - self.allow_redirects = allow_redirects - self.ignore_exceptions = ignore_exceptions - self.strict_http = strict_http - self.request_header = request_header - - self._kwargs = { - "cert": cert, - "verify": verify, - "timeout": timeout, - "proxies": proxies, - } - - @staticmethod - def urljoin(*args): - """Joins given arguments into a url. Trailing and leading slashes are stripped for each argument. - - :param args: Multiple parts of a URL to be combined into one string. - :type args: str | unicode - :return: Full URL combining all provided arguments - :rtype: str | unicode - """ - - return "/".join(map(lambda x: str(x).strip("/"), args)) - - def close(self): - """Close the underlying Requests session.""" - self.session.close() - - def get(self, url, **kwargs): - """Performs a GET request. - - :param url: Partial URL path to send the request to. This will be joined to the end of the instance's base_uri - attribute. - :type url: str | unicode - :param kwargs: Additional keyword arguments to include in the requests call. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - return self.request("get", url, **kwargs) - - def post(self, url, **kwargs): - """Performs a POST request. - - :param url: Partial URL path to send the request to. This will be joined to the end of the instance's base_uri - attribute. - :type url: str | unicode - :param kwargs: Additional keyword arguments to include in the requests call. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - return self.request("post", url, **kwargs) - - def put(self, url, **kwargs): - """Performs a PUT request. - - :param url: Partial URL path to send the request to. This will be joined to the end of the instance's base_uri - attribute. - :type url: str | unicode - :param kwargs: Additional keyword arguments to include in the requests call. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - return self.request("put", url, **kwargs) - - def delete(self, url, **kwargs): - """Performs a DELETE request. - - :param url: Partial URL path to send the request to. This will be joined to the end of the instance's base_uri - attribute. - :type url: str | unicode - :param kwargs: Additional keyword arguments to include in the requests call. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - return self.request("delete", url, **kwargs) - - def list(self, url, **kwargs): - """Performs a LIST request. - - :param url: Partial URL path to send the request to. This will be joined to the end of the instance's base_uri - attribute. - :type url: str | unicode - :param kwargs: Additional keyword arguments to include in the requests call. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - return self.request("list", url, **kwargs) - - def head(self, url, **kwargs): - """Performs a HEAD request. - - :param url: Partial URL path to send the request to. This will be joined to the end of the instance's base_uri - attribute. - :type url: str | unicode - :param kwargs: Additional keyword arguments to include in the requests call. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - return self.request("head", url, **kwargs) - - def login(self, url, use_token=True, **kwargs): - """Perform a login request. - - Associated request is typically to a path prefixed with "/v1/auth") and optionally stores the client token sent - in the resulting Vault response for use by the :py:meth:`hvac.adapters.Adapter` instance under the _adapter - Client attribute. - - :param url: Path to send the authentication request to. - :type url: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param kwargs: Additional keyword arguments to include in the params sent with the request. - :type kwargs: dict - :return: The response of the auth request. - :rtype: requests.Response - """ - response = self.post(url, **kwargs) - - if use_token: - self.token = self.get_login_token(response) - - return response - - @abstractmethod - def get_login_token(self, response): - """Extracts the client token from a login response. - - :param response: The response object returned by the login method. - :return: A client token. - :rtype: str - """ - return NotImplementedError - - @abstractmethod - def request(self, method, url, headers=None, raise_exception=True, **kwargs): - """Main method for routing HTTP requests to the configured Vault base_uri. Intended to be implement by subclasses. - - :param method: HTTP method to use with the request. E.g., GET, POST, etc. - :type method: str - :param url: Partial URL path to send the request to. This will be joined to the end of the instance's base_uri - attribute. - :type url: str | unicode - :param headers: Additional headers to include with the request. - :type headers: dict - :param kwargs: Additional keyword arguments to include in the requests call. - :type kwargs: dict - :param raise_exception: If True, raise an exception via utils.raise_for_error(). Set this parameter to False to - bypass this functionality. - :type raise_exception: bool - :return: The response of the request. - :rtype: requests.Response - """ - raise NotImplementedError - - -class RawAdapter(Adapter): - """ - The RawAdapter adapter class. - This adapter adds Vault-specific headers as required and optionally raises exceptions on errors, - but always returns Response objects for requests. - """ - - def _raise_for_error(self, method: str, url: str, response: requests.Response): - msg = json = text = errors = None - try: - text = response.text - except Exception: - pass - - if response.headers.get("Content-Type") == "application/json": - try: - json = response.json() - except Exception: - pass - else: - errors = json.get("errors") - - if errors is None: - msg = text - - utils.raise_for_error( - method, - url, - response.status_code, - msg, - errors=errors, - text=text, - json=json, - ) - - def get_login_token(self, response): - """Extracts the client token from a login response. - - :param response: The response object returned by the login method. - :type response: requests.Response - :return: A client token. - :rtype: str - """ - response_json = response.json() - return response_json["auth"]["client_token"] - - def request(self, method, url, headers=None, raise_exception=True, **kwargs): - """Main method for routing HTTP requests to the configured Vault base_uri. - - :param method: HTTP method to use with the request. E.g., GET, POST, etc. - :type method: str - :param url: Partial URL path to send the request to. This will be joined to the end of the instance's base_uri - attribute. - :type url: str | unicode - :param headers: Additional headers to include with the request. - :type headers: dict - :param raise_exception: If True, raise an exception via utils.raise_for_error(). Set this parameter to False to - bypass this functionality. - :type raise_exception: bool - :param kwargs: Additional keyword arguments to include in the requests call. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - while "//" in url: - # Vault CLI treats a double forward slash ('//') as a single forward slash for a given path. - # To avoid issues with the requests module's redirection logic, we perform the same translation here. - url = url.replace("//", "/") - - url = self.urljoin(self.base_uri, url) - - if not headers: - headers = {} - - if self.request_header: - headers["X-Vault-Request"] = "true" - - if self.token: - headers["X-Vault-Token"] = self.token - - if self.namespace: - headers["X-Vault-Namespace"] = self.namespace - - wrap_ttl = kwargs.pop("wrap_ttl", None) - if wrap_ttl: - headers["X-Vault-Wrap-TTL"] = str(wrap_ttl) - - _kwargs = self._kwargs.copy() - _kwargs.update(kwargs) - - if self.strict_http and method.lower() in ("list",): - # Entry point for standard HTTP substitution - params = _kwargs.get("params", {}) - if method.lower() == "list": - method = "get" - params.update({"list": "true"}) - _kwargs["params"] = params - - response = self.session.request( - method=method, - url=url, - headers=headers, - allow_redirects=self.allow_redirects, - **_kwargs - ) - - if not response.ok and (raise_exception and not self.ignore_exceptions): - self._raise_for_error(method, url, response) - - return response - - -class JSONAdapter(RawAdapter): - """ - The JSONAdapter adapter class. - This adapter works just like the RawAdapter adapter except that HTTP 200 responses are returned as JSON dicts. - All non-200 responses are returned as Response objects. - """ - - def get_login_token(self, response): - """Extracts the client token from a login response. - - :param response: The response object returned by the login method. - :type response: dict | requests.Response - :return: A client token. - :rtype: str - """ - return response["auth"]["client_token"] - - def request(self, *args, **kwargs): - """Main method for routing HTTP requests to the configured Vault base_uri. - - :param args: Positional arguments to pass to RawAdapter.request. - :type args: list - :param kwargs: Keyword arguments to pass to RawAdapter.request. - :type kwargs: dict - :return: Dict on HTTP 200 with JSON body, otherwise the response object. - :rtype: dict | requests.Response - """ - response = super().request(*args, **kwargs) - if response.status_code == 200: - try: - return response.json() - except ValueError: - pass - - return response - - -# Retaining the legacy name -Request = RawAdapter diff --git a/.venv/lib/python3.12/site-packages/hvac/api/__init__.py b/.venv/lib/python3.12/site-packages/hvac/api/__init__.py deleted file mode 100644 index d8d3d93..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/__init__.py +++ /dev/null @@ -1,14 +0,0 @@ -"""Collection of Vault API endpoint classes.""" -from hvac.api.auth_methods import AuthMethods -from hvac.api.secrets_engines import SecretsEngines -from hvac.api.system_backend import SystemBackend -from hvac.api.vault_api_base import VaultApiBase -from hvac.api.vault_api_category import VaultApiCategory - -__all__ = ( - "AuthMethods", - "SecretsEngines", - "SystemBackend", - "VaultApiBase", - "VaultApiCategory", -) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/__pycache__/__init__.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/__pycache__/__init__.cpython-312.pyc deleted file mode 100644 index f5fe169..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/__pycache__/__init__.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/__pycache__/vault_api_base.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/__pycache__/vault_api_base.cpython-312.pyc deleted file mode 100644 index 5393404..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/__pycache__/vault_api_base.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/__pycache__/vault_api_category.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/__pycache__/vault_api_category.cpython-312.pyc deleted file mode 100644 index 8c5d853..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/__pycache__/vault_api_category.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__init__.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__init__.py deleted file mode 100644 index 91df887..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__init__.py +++ /dev/null @@ -1,64 +0,0 @@ -"""Collection of classes for various Vault auth methods.""" - -from hvac.api.auth_methods.approle import AppRole -from hvac.api.auth_methods.azure import Azure -from hvac.api.auth_methods.gcp import Gcp -from hvac.api.auth_methods.github import Github -from hvac.api.auth_methods.jwt import JWT -from hvac.api.auth_methods.kubernetes import Kubernetes -from hvac.api.auth_methods.ldap import Ldap -from hvac.api.auth_methods.userpass import Userpass -from hvac.api.auth_methods.legacy_mfa import LegacyMfa -from hvac.api.auth_methods.oidc import OIDC -from hvac.api.auth_methods.okta import Okta -from hvac.api.auth_methods.radius import Radius -from hvac.api.auth_methods.token import Token -from hvac.api.auth_methods.aws import Aws -from hvac.api.auth_methods.cert import Cert -from hvac.api.vault_api_category import VaultApiCategory - -__all__ = ( - "AuthMethods", - "AppRole", - "Azure", - "Gcp", - "Github", - "JWT", - "Kubernetes", - "Ldap", - "Userpass", - "LegacyMfa", - "OIDC", - "Okta", - "Radius", - "Token", - "Aws", - "Cert", -) - - -class AuthMethods(VaultApiCategory): - """Auth Methods.""" - - implemented_classes = [ - AppRole, - Azure, - Github, - Gcp, - JWT, - Kubernetes, - Ldap, - Userpass, - LegacyMfa, - OIDC, - Okta, - Radius, - Token, - Aws, - Cert, - ] - unimplemented_classes = [ - "AppId", - "AliCloud", - "Mfa", - ] diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/__init__.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/__init__.cpython-312.pyc deleted file mode 100644 index 24bb6ad..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/__init__.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/approle.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/approle.cpython-312.pyc deleted file mode 100644 index 18b3f88..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/approle.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/aws.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/aws.cpython-312.pyc deleted file mode 100644 index adca494..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/aws.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/azure.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/azure.cpython-312.pyc deleted file mode 100644 index 532e73d..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/azure.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/cert.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/cert.cpython-312.pyc deleted file mode 100644 index e5df720..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/cert.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/gcp.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/gcp.cpython-312.pyc deleted file mode 100644 index 1ae1426..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/gcp.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/github.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/github.cpython-312.pyc deleted file mode 100644 index a165659..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/github.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/jwt.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/jwt.cpython-312.pyc deleted file mode 100644 index e4d248f..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/jwt.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/kubernetes.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/kubernetes.cpython-312.pyc deleted file mode 100644 index be8628a..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/kubernetes.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/ldap.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/ldap.cpython-312.pyc deleted file mode 100644 index e87c262..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/ldap.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/legacy_mfa.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/legacy_mfa.cpython-312.pyc deleted file mode 100644 index 2b027eb..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/legacy_mfa.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/oidc.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/oidc.cpython-312.pyc deleted file mode 100644 index 1abe3c8..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/oidc.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/okta.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/okta.cpython-312.pyc deleted file mode 100644 index 67fb621..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/okta.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/radius.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/radius.cpython-312.pyc deleted file mode 100644 index 2c1fe4f..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/radius.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/token.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/token.cpython-312.pyc deleted file mode 100644 index 943b44e..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/token.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/userpass.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/userpass.cpython-312.pyc deleted file mode 100644 index 690ba38..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/__pycache__/userpass.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/approle.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/approle.py deleted file mode 100644 index 4f6f750..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/approle.py +++ /dev/null @@ -1,510 +0,0 @@ -#!/usr/bin/env python -"""APPROLE methods module.""" -import json -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.constants.approle import DEFAULT_MOUNT_POINT, ALLOWED_TOKEN_TYPES -from hvac.utils import validate_list_of_strings_param, list_to_comma_delimited - - -class AppRole(VaultApiBase): - """USERPASS Auth Method (API). - Reference: https://www.vaultproject.io/api-docs/auth/approle/index.html - """ - - def create_or_update_approle( - self, - role_name, - bind_secret_id=None, - secret_id_bound_cidrs=None, - secret_id_num_uses=None, - secret_id_ttl=None, - enable_local_secret_ids=None, - token_ttl=None, - token_max_ttl=None, - token_policies=None, - token_bound_cidrs=None, - token_explicit_max_ttl=None, - token_no_default_policy=None, - token_num_uses=None, - token_period=None, - token_type=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """ - Create/update approle. - - Supported methods: - POST: /auth/{mount_point}/role/{role_name}. Produces: 204 (empty body) - - :param role_name: The name for the approle. - :type role_name: str | unicode - :param bind_secret_id: Require secret_id to be presented when logging in using this approle. - :type bind_secret_id: bool - :param secret_id_bound_cidrs: Blocks of IP addresses which can perform login operations. - :type secret_id_bound_cidrs: list - :param secret_id_num_uses: Number of times any secret_id can be used to fetch a token. - A value of zero allows unlimited uses. - :type secret_id_num_uses: int - :param secret_id_ttl: Duration after which a secret_id expires. This can be specified - as an integer number of seconds or as a duration value like "5m". - :type secret_id_ttl: str | unicode - :param enable_local_secret_ids: Secret IDs generated using role will be cluster local. - :type enable_local_secret_ids: bool - :param token_ttl: Incremental lifetime for generated tokens. This can be specified - as an integer number of seconds or as a duration value like "5m". - :type token_ttl: str | unicode - :param token_max_ttl: Maximum lifetime for generated tokens: This can be specified - as an integer number of seconds or as a duration value like "5m". - :type token_max_ttl: str | unicode - :param token_policies: List of policies to encode onto generated tokens. - :type token_policies: list - :param token_bound_cidrs: Blocks of IP addresses which can authenticate successfully. - :type token_bound_cidrs: list - :param token_explicit_max_ttl: If set, will encode an explicit max TTL onto the token. This can be specified - as an integer number of seconds or as a duration value like "5m". - :type token_explicit_max_ttl: str | unicode - :param token_no_default_policy: Do not add the default policy to generated tokens, use only tokens - specified in token_policies. - :type token_no_default_policy: bool - :param token_num_uses: Maximum number of times a generated token may be used. A value of zero - allows unlimited uses. - :type token_num_uses: int - :param token_period: The period, if any, to set on the token. This can be specified - as an integer number of seconds or as a duration value like "5m". - :type token_period: str | unicode - :param token_type: The type of token that should be generated, can be "service", "batch", or "default". - :type token_type: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - """ - list_of_strings_params = { - "secret_id_bound_cidrs": secret_id_bound_cidrs, - "token_policies": token_policies, - "token_bound_cidrs": token_bound_cidrs, - } - - if token_type is not None and token_type not in ALLOWED_TOKEN_TYPES: - error_msg = 'unsupported token_type argument provided "{arg}", supported types: "{token_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=token_type, - token_types=",".join(ALLOWED_TOKEN_TYPES), - ) - ) - - params = dict() - - for param_name, param_argument in list_of_strings_params.items(): - validate_list_of_strings_param( - param_name=param_name, - param_argument=param_argument, - ) - if param_argument is not None: - params[param_name] = list_to_comma_delimited(param_argument) - - params.update( - utils.remove_nones( - { - "bind_secret_id": bind_secret_id, - "secret_id_num_uses": secret_id_num_uses, - "secret_id_ttl": secret_id_ttl, - "enable_local_secret_ids": enable_local_secret_ids, - "token_ttl": token_ttl, - "token_max_ttl": token_max_ttl, - "token_explicit_max_ttl": token_explicit_max_ttl, - "token_no_default_policy": token_no_default_policy, - "token_num_uses": token_num_uses, - "token_period": token_period, - "token_type": token_type, - } - ) - ) - - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}", - mount_point=mount_point, - name=role_name, - ) - return self._adapter.post(url=api_path, json=params) - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """ - List existing roles created in the auth method. - - Supported methods: - LIST: /auth/{mount_point}/role. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the list_roles request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role", mount_point=mount_point - ) - return self._adapter.list(url=api_path) - - def read_role(self, role_name, mount_point=DEFAULT_MOUNT_POINT): - """ - Read role in the auth method. - - Supported methods: - GET: /auth/{mount_point}/role/{role_name}. Produces: 200 application/json - - :param role_name: The name for the role. - :type role_name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_role request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.get(url=api_path) - - def delete_role(self, role_name, mount_point=DEFAULT_MOUNT_POINT): - """ - Delete role in the auth method. - - Supported methods: - DELETE: /auth/{mount_point}/role/{role_name}. Produces: 204 (empty body) - - :param role_name: The name for the role. - :type role_name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.delete(url=api_path) - - def read_role_id(self, role_name, mount_point=DEFAULT_MOUNT_POINT): - """ - Reads the Role ID of a role in the auth method. - - Supported methods: - GET: /auth/{mount_point}/role/{role_name}/role-id. Produces: 200 application/json - - :param role_name: The name for the role. - :type role_name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_role_id request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}/role-id", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.get(url=api_path) - - def update_role_id(self, role_name, role_id, mount_point=DEFAULT_MOUNT_POINT): - """ - Updates the Role ID of a role in the auth method. - - Supported methods: - POST: /auth/{mount_point}/role/{role_name}/role-id. Produces: 200 application/json - - :param role_name: The name for the role. - :type role_name: str | unicode - :param role_id: New value for the Role ID. - :type role_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_role_id request. - :rtype: dict - """ - params = {"role_id": role_id} - - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}/role-id", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post(url=api_path, json=params) - - def generate_secret_id( - self, - role_name, - metadata=None, - cidr_list=None, - token_bound_cidrs=None, - mount_point=DEFAULT_MOUNT_POINT, - wrap_ttl=None, - ): - """ - Generates and issues a new Secret ID on a role in the auth method. - - Supported methods: - POST: /auth/{mount_point}/role/{role_name}/secret-id. Produces: 200 application/json - - :param role_name: The name for the role. - :type role_name: str | unicode - :param metadata: Metadata to be tied to the Secret ID. - :type metadata: dict - :param cidr_list: Blocks of IP addresses which can perform login operations. - :type cidr_list: list - :param token_bound_cidrs: Blocks of IP addresses which can authenticate successfully. - :type token_bound_cidrs: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param wrap_ttl: Returns the request as a response-wrapping token. - Can be either an integer number of seconds or a string duration of seconds (`15s`), minutes (`20m`), or hours (`25h`). - :type wrap_ttl: int | str - :return: The JSON response of the read_role_id request. - :rtype: dict - """ - if metadata is not None and not isinstance(metadata, dict): - error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=metadata, - arg_type=type(metadata), - ) - ) - - params = {} - if metadata: - params = {"metadata": json.dumps(metadata)} - - list_of_strings_params = { - "cidr_list": cidr_list, - "token_bound_cidrs": token_bound_cidrs, - } - for param_name, param_argument in list_of_strings_params.items(): - validate_list_of_strings_param( - param_name=param_name, - param_argument=param_argument, - ) - if param_argument is not None: - params[param_name] = list_to_comma_delimited(param_argument) - - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}/secret-id", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post(url=api_path, json=params, wrap_ttl=wrap_ttl) - - def create_custom_secret_id( - self, - role_name, - secret_id, - metadata=None, - cidr_list=None, - token_bound_cidrs=None, - mount_point=DEFAULT_MOUNT_POINT, - wrap_ttl=None, - ): - """ - Generates and issues a new Secret ID on a role in the auth method. - - Supported methods: - POST: /auth/{mount_point}/role/{role_name}/custom-secret-id. Produces: 200 application/json - - :param role_name: The name for the role. - :type role_name: str | unicode - :param secret_id: The Secret ID to read. - :type secret_id: str | unicode - :param metadata: Metadata to be tied to the Secret ID. - :type metadata: dict - :param cidr_list: Blocks of IP addresses which can perform login operations. - :type cidr_list: list - :param token_bound_cidrs: Blocks of IP addresses which can authenticate successfully. - :type token_bound_cidrs: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param wrap_ttl: Returns the request as a response-wrapping token. - Can be either an integer number of seconds or a string duration of seconds (`15s`), minutes (`20m`), or hours (`25h`). - :type wrap_ttl: int | str - :return: The JSON response of the read_role_id request. - :rtype: dict - """ - if metadata is not None and not isinstance(metadata, dict): - error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=metadata, - arg_type=type(metadata), - ) - ) - - params = {"secret_id": secret_id} - - if metadata: - params["metadata"] = json.dumps(metadata) - - list_of_strings_params = { - "cidr_list": cidr_list, - "token_bound_cidrs": token_bound_cidrs, - } - for param_name, param_argument in list_of_strings_params.items(): - validate_list_of_strings_param( - param_name=param_name, - param_argument=param_argument, - ) - if param_argument is not None: - params[param_name] = list_to_comma_delimited(param_argument) - - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}/custom-secret-id", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post(url=api_path, json=params, wrap_ttl=wrap_ttl) - - def read_secret_id(self, role_name, secret_id, mount_point=DEFAULT_MOUNT_POINT): - """ - Read the properties of a Secret ID for a role in the auth method. - - Supported methods: - POST: /auth/{mount_point}/role/{role_name}/secret-id/lookup. Produces: 200 application/json - - :param role_name: The name for the role - :type role_name: str | unicode - :param secret_id: The Secret ID to read. - :type secret_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_role_id request. - :rtype: dict - """ - params = {"secret_id": secret_id} - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}/secret-id/lookup", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post(url=api_path, json=params) - - def destroy_secret_id(self, role_name, secret_id, mount_point=DEFAULT_MOUNT_POINT): - """ - Destroys a Secret ID for a role in the auth method. - - Supported methods: - POST: /auth/{mount_point}/role/{role_name}/secret-id/destroy. Produces 204 (empty body) - - :param role_name: The name for the role - :type role_name: str | unicode - :param secret_id: The Secret ID to read. - :type secret_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - """ - params = {"secret_id": secret_id} - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}/secret-id/destroy", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post(url=api_path, json=params) - - def list_secret_id_accessors(self, role_name, mount_point=DEFAULT_MOUNT_POINT): - """ - Lists accessors of all issued Secret IDs for a role in the auth method. - - Supported methods: - LIST: /auth/{mount_point}/role/{role_name}/secret-id. Produces: 200 application/json - - :param role_name: The name for the role - :type role_name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_role_id request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}/secret-id", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.list(url=api_path) - - def read_secret_id_accessor( - self, role_name, secret_id_accessor, mount_point=DEFAULT_MOUNT_POINT - ): - """ - Read the properties of a Secret ID for a role in the auth method. - - Supported methods: - POST: /auth/{mount_point}/role/{role_name}/secret-id-accessor/lookup. Produces: 200 application/json - - :param role_name: The name for the role - :type role_name: str | unicode - :param secret_id_accessor: The accessor for the Secret ID to read. - :type secret_id_accessor: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_role_id request. - :rtype: dict - """ - params = {"secret_id_accessor": secret_id_accessor} - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}/secret-id-accessor/lookup", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post(url=api_path, json=params) - - def destroy_secret_id_accessor( - self, role_name, secret_id_accessor, mount_point=DEFAULT_MOUNT_POINT - ): - """ - Destroys a Secret ID for a role in the auth method. - - Supported methods: - POST: /auth/{mount_point}/role/{role_name}/secret-id-accessor/destroy. Produces: 204 (empty body) - - :param role_name: The name for the role - :type role_name: str | unicode - :param secret_id_accessor: The accessor for the Secret ID to read. - :type secret_id_accessor: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - """ - params = {"secret_id_accessor": secret_id_accessor} - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role_name}/secret-id-accessor/destroy", - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post(url=api_path, json=params) - - def login( - self, role_id, secret_id=None, use_token=True, mount_point=DEFAULT_MOUNT_POINT - ): - """ - Login with APPROLE credentials. - - Supported methods: - POST: /auth/{mount_point}/login. Produces: 200 application/json - - :param role_id: Role ID of the role. - :type role_id: str | unicode - :param secret_id: Secret ID of the role. - :type secret_id: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_role_id request. - :rtype: dict - """ - params = {"role_id": role_id, "secret_id": secret_id} - api_path = utils.format_url( - "/v1/auth/{mount_point}/login", mount_point=mount_point - ) - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/aws.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/aws.py deleted file mode 100644 index 58adb05..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/aws.py +++ /dev/null @@ -1,992 +0,0 @@ -#!/usr/bin/python -""" AWS auth method module """ -import logging -import json -from base64 import b64encode - -from hvac import exceptions, aws_utils, utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.constants.aws import ALLOWED_IAM_ALIAS_TYPES, ALLOWED_EC2_ALIAS_TYPES -from hvac.constants.aws import DEFAULT_MOUNT_POINT as AWS_DEFAULT_MOUNT_POINT - -logger = logging.getLogger(__name__) - - -class Aws(VaultApiBase): - """AWS Auth Method (API). - - Reference: https://www.vaultproject.io/api/auth/aws/index.html - """ - - def configure( - self, - max_retries=None, - access_key=None, - secret_key=None, - endpoint=None, - iam_endpoint=None, - sts_endpoint=None, - iam_server_id_header_value=None, - mount_point=AWS_DEFAULT_MOUNT_POINT, - sts_region=None, - ): - """Configure the credentials required to perform API calls to AWS as well as custom endpoints to talk to AWS API. - - The instance identity document fetched from the PKCS#7 signature will provide the EC2 instance ID. - The credentials configured using this endpoint will be used to query the status of the instances via - DescribeInstances API. If static credentials are not provided using this endpoint, then the credentials will be - retrieved from the environment variables AWS_ACCESS_KEY, AWS_SECRET_KEY and AWS_REGION respectively. - If the credentials are still not found and if the method is configured on an EC2 instance with metadata querying - capabilities, the credentials are fetched automatically - - Supported methods: - POST: /auth/{mount_point}/config Produces: 204 (empty body) - - :param max_retries: Number of max retries the client should use for recoverable errors. - The default (-1) falls back to the AWS SDK's default behavior - :type max_retries: int - :param access_key: AWS Access key with permissions to query AWS APIs. The permissions required depend on the - specific configurations. If using the iam auth method without inferencing, then no credentials are - necessary. If using the ec2 auth method or using the iam auth method with inferencing, then these - credentials need access to ec2:DescribeInstances. If additionally a bound_iam_role is specified, then - these credentials also need access to iam:GetInstanceProfile. If, however, an alternate sts configuration - is set for the target account, then the credentials must be permissioned to call sts:AssumeRole on the - configured role, and that role must have the permissions described here - :type access_key: str | unicode - :param secret_key: AWS Secret key with permissions to query AWS APIs - :type secret_key: str | unicode - :param endpoint: URL to override the default generated endpoint for making AWS EC2 API calls - :type endpoint: str | unicode - :param iam_endpoint: URL to override the default generated endpoint for making AWS IAM API calls - :type iam_endpoint: str | unicode - :param sts_endpoint: URL to override the default generated endpoint for making AWS STS API calls - :type sts_endpoint: str | unicode - :param iam_server_id_header_value: The value to require in the X-Vault-AWS-IAM-Server-ID header as part of - GetCallerIdentity requests that are used in the iam auth method. If not set, then no value is required or - validated. If set, clients must include an X-Vault-AWS-IAM-Server-ID header in the headers of login - requests, and further this header must be among the signed headers validated by AWS. This is to protect - against different types of replay attacks, for example a signed request sent to a dev server being resent - to a production server - :type iam_server_id_header_value: str | unicode - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str | unicode - :param sts_region: Region to override the default region for making AWS STS API calls. Should only be set if - sts_endpoint is set. If so, should be set to the region in which the custom sts_endpoint resides - :type sts_region: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - params = utils.remove_nones( - { - "max_retries": max_retries, - "access_key": access_key, - "secret_key": secret_key, - "endpoint": endpoint, - "iam_endpoint": iam_endpoint, - "sts_endpoint": sts_endpoint, - "iam_server_id_header_value": iam_server_id_header_value, - "sts_region": sts_region, - } - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/client", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_config(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Read previously configured AWS access credentials. - - Supported methods: - GET: /auth/{mount_point}/config. Produces: 200 application/json - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/client", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def delete_config(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Delete previously configured AWS access credentials, - - Supported methods: - DELETE: /auth/{mount_point}/config Produces: 204 (empty body) - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/client", mount_point=mount_point - ) - return self._adapter.delete(url=api_path) - - def configure_identity_integration( - self, - iam_alias=None, - ec2_alias=None, - mount_point=AWS_DEFAULT_MOUNT_POINT, - iam_metadata=None, - ec2_metadata=None, - ): - """Configure the way that Vault interacts with the Identity store. - - The default (as of Vault 1.0.3) is role_id for both values. - - Supported methods: - POST: /auth/{mount_point}/config/identity Produces: 204 (empty body) - - :param iam_alias: How to generate the identity alias when using the iam auth method. Valid choices are role_id, - unique_id, and full_arn When role_id is selected, the randomly generated ID of the role is used. When - unique_id is selected, the IAM Unique ID of the IAM principal (either the user or role) is used as the - identity alias name. When full_arn is selected, the ARN returned by the sts:GetCallerIdentity call is used - as the alias name. This is either arn:aws:iam:::user/ or - arn:aws:sts:::assumed-role//. Note: if you - select full_arn and then delete and recreate the IAM role, Vault won't be aware and any identity aliases - set up for the role name will still be valid - :type iam_alias: str | unicode - :param iam_metadata: The metadata to include on the token returned by the login endpoint. - This metadata will be added to both audit logs, and on the ``iam_alias``. By default, it includes ``account_id`` - and ``auth_type``. Additionally, ``canonical_arn``, ``client_arn``, ``client_user_id``, ``inferred_aws_region``, ``inferred_entity_id``, - and ``inferred_entity_type`` are available. To include no metadata, set to an empty list ``[]``. - To use only particular fields, select the explicit fields. To restore to defaults, send only a field of ``default``. - Only select fields that will have a low rate of change for your ``iam_alias`` because each change triggers a storage - write and can have a performance impact at scale. - :type iam_metadata: str | unicode | list - :param ec2_alias: Configures how to generate the identity alias when using the ec2 auth method. Valid choices - are role_id, instance_id, and image_id. When role_id is selected, the randomly generated ID of the role is - used. When instance_id is selected, the instance identifier is used as the identity alias name. When - image_id is selected, AMI ID of the instance is used as the identity alias name - :type ec2_alias: str | unicode - :param ec2_metadata: The metadata to include on the token returned by the login endpoint. This metadata will be - added to both audit logs, and on the ``ec2_alias``. By default, it includes ``account_id`` and ``auth_type``. Additionally, - ``ami_id``, ``instance_id``, and ``region`` are available. To include no metadata, set to an empty list ``[]``. - To use only particular fields, select the explicit fields. To restore to defaults, send only a field of ``default``. - Only select fields that will have a low rate of change for your ``ec2_alias`` because each change triggers a storage - write and can have a performance impact at scale. - :type ec2_metadata: str | unicode | list - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str | unicode - :return: The response of the request - :rtype: request.Response - """ - if iam_alias is not None and iam_alias not in ALLOWED_IAM_ALIAS_TYPES: - error_msg = f"invalid iam alias type provided: '{iam_alias}' - supported iam alias types: '{','.join(ALLOWED_IAM_ALIAS_TYPES)}'" - raise exceptions.ParamValidationError(error_msg) - if ec2_alias is not None and ec2_alias not in ALLOWED_EC2_ALIAS_TYPES: - error_msg = f"invalid ec2 alias type provided: '{ec2_alias}' - supported ec2 alias types: '{','.join(ALLOWED_EC2_ALIAS_TYPES)}'" - raise exceptions.ParamValidationError(error_msg) - - params = utils.remove_nones( - { - "iam_alias": iam_alias, - "ec2_alias": ec2_alias, - "ec2_metadata": ec2_metadata, - "iam_metadata": iam_metadata, - } - ) - api_auth = "/v1/auth/{mount_point}/config/identity".format( - mount_point=mount_point - ) - return self._adapter.post( - url=api_auth, - json=params, - ) - - def read_identity_integration(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Return previously configured identity integration configuration. - - Supported methods: - GET: /auth/{mount_point}/config/identity. Produces: 200 application/json - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/identity", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def create_certificate_configuration( - self, - cert_name, - aws_public_cert, - document_type=None, - mount_point=AWS_DEFAULT_MOUNT_POINT, - ): - """Register AWS public key to be used to verify the instance identity documents. - - While the PKCS#7 signature of the identity documents have DSA digest, the identity signature will have RSA - digest, and hence the public keys for each type varies respectively. Indicate the type of the public key using - the "type" parameter - - Supported methods: - POST: /auth/{mount_point}/config/certificate/:cert_name Produces: 204 (empty body) - - :param cert_name: Name of the certificate - :type cert_name: string | unicode - :param aws_public_cert: Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance - metadata - :param document_type: Takes the value of either "pkcs7" or "identity", indicating the type of document which can be - verified using the given certificate - :type document_type: string | unicode - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str | unicode - :return: The response of the request - :rtype: request.Response - """ - params = { - "cert_name": cert_name, - "aws_public_cert": aws_public_cert, - } - params.update( - utils.remove_nones( - { - "document_type": document_type, - } - ) - ) - api_path = utils.format_url( - "/v1/auth/{0}/config/certificate/{1}", mount_point, cert_name - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_certificate_configuration( - self, cert_name, mount_point=AWS_DEFAULT_MOUNT_POINT - ): - """Return previously configured AWS public key. - - Supported methods: - GET: /v1/auth/{mount_point}/config/certificate/:cert_name Produces: 200 application/json - - :param cert_name: Name of the certificate - :type cert_name: str | unicode - :param mount_point: The path the AWS auth method was mounted on. - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{0}/config/certificate/{1}", mount_point, cert_name - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def delete_certificate_configuration( - self, cert_name, mount_point=AWS_DEFAULT_MOUNT_POINT - ): - """Remove previously configured AWS public key. - - Supported methods: - DELETE: /auth/{mount_point}/config/certificate/:cert_name Produces: 204 (empty body) - - :param cert_name: Name of the certificate - :type cert_name: str | unicode - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str | unicode - :return: The response of the request - :rtype: request.Response - """ - api_path = utils.format_url( - "/v1/auth/{0}/config/certificate/{1}", mount_point, cert_name - ) - return self._adapter.delete( - url=api_path, - ) - - def list_certificate_configurations(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """List AWS public certificates that are registered with the method. - - Supported methods - LIST: /auth/{mount_point}/config/certificates Produces: 200 application/json - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/certificates", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - return response.get("data") - - def create_sts_role( - self, account_id, sts_role, mount_point=AWS_DEFAULT_MOUNT_POINT - ): - """Allow the explicit association of STS roles to satellite AWS accounts (i.e. those which are not the - account in which the Vault server is running.) - - Vault will use credentials obtained by assuming these STS roles when validating IAM principals or EC2 - instances in the particular AWS account - - Supported methods: - POST: /v1/auth/{mount_point}/config/sts/:account_id Produces: 204 (empty body) - - :param account_id: AWS account ID to be associated with STS role. - If set, Vault will use assumed credentials to verify any login attempts from EC2 instances in this account. - :type account_id: str - :param sts_role: AWS ARN for STS role to be assumed when interacting with the account specified. - The Vault server must have permissions to assume this role. - :type sts_role: str - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{0}/config/sts/{1}", mount_point, account_id - ) - params = { - "account_id": account_id, - "sts_role": sts_role, - } - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_sts_role(self, account_id, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Return previously configured STS role. - - :param account_id: AWS account ID that has been previously associated with STS role. - :type account_id: str - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{0}/config/sts/{1}", mount_point, account_id - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def list_sts_roles(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """List AWS Account IDs for which an STS role is registered. - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/sts", mount_point=mount_point - ) - response = self._adapter.list(url=api_path) - return response.get("data") - - def delete_sts_role(self, account_id, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Delete a previously configured AWS account/STS role association. - - :param account_id: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{0}/config/sts/{1}", mount_point, account_id - ) - return self._adapter.delete( - url=api_path, - ) - - def configure_identity_whitelist_tidy( - self, - safety_buffer=None, - disable_periodic_tidy=None, - mount_point=AWS_DEFAULT_MOUNT_POINT, - ): - """Configure the periodic tidying operation of the whitelisted identity entries. - - :param safety_buffer: The amount of extra time that must have passed beyond the roletag expiration, before - it is removed from the method storage. - :type safety_buffer: str - :param disable_periodic_tidy: If set to 'true', disables the periodic tidying of the identity-whitelist/ entries. - :type disable_periodic_tidy: bool - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/tidy/identity-whitelist", - mount_point=mount_point, - ) - params = utils.remove_nones( - { - "safety_buffer": safety_buffer, - "disable_periodic_tidy": disable_periodic_tidy, - } - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_identity_whitelist_tidy(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Read previously configured periodic whitelist tidying settings. - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/tidy/identity-whitelist", - mount_point=mount_point, - ) - response = self._adapter.get(url=api_path) - return response.get("data") - - def delete_identity_whitelist_tidy(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Delete previously configured periodic whitelist tidying settings. - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/tidy/identity-whitelist", - mount_point=mount_point, - ) - return self._adapter.delete( - url=api_path, - ) - - def configure_role_tag_blacklist_tidy( - self, - safety_buffer=None, - disable_periodic_tidy=None, - mount_point=AWS_DEFAULT_MOUNT_POINT, - ): - """Configure the periodic tidying operation of the blacklisted role tag entries. - - :param safety_buffer: The amount of extra time that must have passed beyond the roletag expiration, before - it is removed from the method storage. - :type safety_buffer: str - :param disable_periodic_tidy: If set to 'true', disables the periodic tidying of the roletag-blacklist/ entries. - :type disable_periodic_tidy: bool - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/tidy/roletag-blacklist", - mount_point=mount_point, - ) - params = utils.remove_nones( - { - "safety_buffer": safety_buffer, - "disable_periodic_tidy": disable_periodic_tidy, - } - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role_tag_blacklist_tidy(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Read previously configured periodic blacklist tidying settings. - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/tidy/roletag-blacklist", - mount_point=mount_point, - ) - response = self._adapter.get(url=api_path) - return response.get("data") - - def delete_role_tag_blacklist_tidy(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Delete previously configured periodic blacklist tidying settings. - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config/tidy/roletag-blacklist", - mount_point=mount_point, - ) - return self._adapter.delete(url=api_path) - - def create_role( - self, - role, - auth_type=None, - bound_ami_id=None, - bound_account_id=None, - bound_region=None, - bound_vpc_id=None, - bound_subnet_id=None, - bound_iam_role_arn=None, - bound_iam_instance_profile_arn=None, - bound_ec2_instance_id=None, - role_tag=None, - bound_iam_principal_arn=None, - inferred_entity_type=None, - inferred_aws_region=None, - resolve_aws_unique_ids=None, - ttl=None, - max_ttl=None, - period=None, - policies=None, - allow_instance_migration=None, - disallow_reauthentication=None, - mount_point=AWS_DEFAULT_MOUNT_POINT, - ): - """Register a role in the method. - - :param role: - :param auth_type: - :param bound_ami_id: - :param bound_account_id: - :param bound_region: - :param bound_vpc_id: - :param bound_subnet_id: - :param bound_iam_role_arn: - :param bound_iam_instance_profile_arn: - :param bound_ec2_instance_id: - :param role_tag: - :param bound_iam_principal_arn: - :param inferred_entity_type: - :param inferred_aws_region: - :param resolve_aws_unique_ids: - :param ttl: - :param max_ttl: - :param period: - :param policies: - :param allow_instance_migration: - :param disallow_reauthentication: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/auth/{0}/role/{1}", mount_point, role) - params = { - "role": role, - } - params.update( - utils.remove_nones( - { - "auth_type": auth_type, - "resolve_aws_unique_ids": resolve_aws_unique_ids, - "bound_ami_id": bound_ami_id, - "bound_account_id": bound_account_id, - "bound_region": bound_region, - "bound_vpc_id": bound_vpc_id, - "bound_subnet_id": bound_subnet_id, - "bound_iam_role_arn": bound_iam_role_arn, - "bound_iam_instance_profile_arn": bound_iam_instance_profile_arn, - "bound_ec2_instance_id": bound_ec2_instance_id, - "role_tag": role_tag, - "bound_iam_principal_arn": bound_iam_principal_arn, - "inferred_entity_type": inferred_entity_type, - "inferred_aws_region": inferred_aws_region, - "ttl": ttl, - "max_ttl": max_ttl, - "period": period, - "policies": policies, - "allow_instance_migration": allow_instance_migration, - "disallow_reauthentication": disallow_reauthentication, - } - ) - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, role, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Returns the previously registered role configuration - - :param role: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/auth/{0}/role/{1}", mount_point, role) - response = self._adapter.get(url=api_path) - return response.get("data") - - def list_roles(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Lists all the roles that are registered with the method - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/roles", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - return response.get("data") - - def delete_role(self, role, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Deletes the previously registered role - - :param role: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/auth/{0}/role/{1}", mount_point, role) - return self._adapter.delete( - url=api_path, - ) - - def create_role_tags( - self, - role, - policies=None, - max_ttl=None, - instance_id=None, - allow_instance_migration=None, - disallow_reauthentication=None, - mount_point=AWS_DEFAULT_MOUNT_POINT, - ): - """Create a role tag on the role, which helps in restricting the capabilities that are set on the role. - - Role tags are not tied to any specific ec2 instance unless specified explicitly using the - instance_id parameter. By default, role tags are designed to be used across all instances that - satisfies the constraints on the role. Regardless of which instances have role tags on them, capabilities - defined in a role tag must be a strict subset of the given role's capabilities. Note that, since adding - and removing a tag is often a widely distributed privilege, care needs to be taken to ensure that the - instances are attached with correct tags to not let them gain more privileges than what were intended. - If a role tag is changed, the capabilities inherited by the instance will be those defined on the new role - tag. Since those must be a subset of the role capabilities, the role should never provide more capabilities - than any given instance can be allowed to gain in a worst-case scenario - - :param role: Name of the role. - :type role: str - :param policies: Policies to be associated with the tag. If set, must be a subset of the role's policies. If - set, but set to an empty value, only the 'default' policy will be given to issued tokens. - :type policies: list - :param max_ttl: The maximum allowed lifetime of tokens issued using this role. - :type max_ttl: str - :param instance_id: Instance ID for which this tag is intended for. If set, the created tag can only be used by - the instance with the given ID. - :type instance_id: str - :param disallow_reauthentication: If set, only allows a single token to be granted per instance ID. This can be - cleared with the auth/aws/identity-whitelist endpoint. Defaults to 'false'. Mutually exclusive with - allow_instance_migration. - :type disallow_reauthentication: bool - :param allow_instance_migration: If set, allows migration of the underlying instance where the client resides. - This keys off of pendingTime in the metadata document, so essentially, this disables the client nonce check - whenever the instance is migrated to a new host and pendingTime is newer than the previously-remembered - time. Use with caution. Defaults to 'false'. Mutually exclusive with disallow_reauthentication. - :type allow_instance_migration: bool - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The create role tag response. - :rtype: dict - """ - api_path = utils.format_url("/v1/auth/{0}/role/{1}/tag", mount_point, role) - - params = utils.remove_nones( - { - "disallow_reauthentication": disallow_reauthentication, - "policies": policies, - "max_ttl": max_ttl, - "instance_id": instance_id, - "allow_instance_migration": allow_instance_migration, - } - ) - - return self._adapter.post( - url=api_path, - json=params, - ) - - def iam_login( - self, - access_key, - secret_key, - session_token=None, - header_value=None, - role=None, - use_token=True, - region="us-east-1", - mount_point=AWS_DEFAULT_MOUNT_POINT, - ): - """Fetch a token - - This endpoint verifies the pkcs7 signature of the instance identity document or the signature of the - signed GetCallerIdentity request. With the ec2 auth method, or when inferring an EC2 instance, - verifies that the instance is actually in a running state. Cross checks the constraints defined on the - role with which the login is being performed. With the ec2 auth method, as an alternative to pkcs7 - signature, the identity document along with its RSA digest can be supplied to this endpoint - - :param role: Name of the role against which the login is being attempted. - :type role: str - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/login", mount_point=mount_point - ) - - request = aws_utils.generate_sigv4_auth_request(header_value=header_value) - auth = aws_utils.SigV4Auth(access_key, secret_key, session_token, region) - auth.add_auth(request) - - # https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go - headers = json.dumps({k: [request.headers[k]] for k in request.headers}) - params = { - "iam_http_request_method": request.method, - "iam_request_url": b64encode(request.url.encode("utf-8")).decode("utf-8"), - "iam_request_headers": b64encode(headers.encode("utf-8")).decode("utf-8"), - "iam_request_body": b64encode(request.body.encode("utf-8")).decode("utf-8"), - "role": role, - } - - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) - - def ec2_login( - self, - pkcs7, - nonce=None, - role=None, - use_token=True, - mount_point=AWS_DEFAULT_MOUNT_POINT, - ): - """Retrieve a Vault token using an AWS authentication method mount's EC2 role. - - :param pkcs7: PKCS7 signature of the identity document with all newline characters removed. - :type pkcs7: str - :param nonce: The nonce to be used for subsequent login requests. - :type nonce: str - :param role: Name of the role against which the login is being attempted. - :type role: str - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/login", mount_point=mount_point - ) - params = {"pkcs7": pkcs7} - if nonce: - params["nonce"] = nonce - if role: - params["role"] = role - - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) - - def place_role_tags_in_blacklist( - self, role_tag, mount_point=AWS_DEFAULT_MOUNT_POINT - ): - """Places a valid role tag in a blacklist - - This ensures that the role tag cannot be used by any instance to perform a login operation again. Note - that if the role tag was previously used to perform a successful login, placing the tag in the blacklist - does not invalidate the already issued token - - :param role_tag: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{0}/roletag-blacklist/{1}", mount_point, role_tag - ) - return self._adapter.post(url=api_path) - - def read_role_tag_blacklist(self, role_tag, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Returns the blacklist entry of a previously blacklisted role tag - - :param role_tag: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{0}/roletag-blacklist/{1}", mount_point, role_tag - ) - response = self._adapter.get(url=api_path) - return response.get("data") - - def list_blacklist_tags(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Lists all the role tags that are blacklisted - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/roletag-blacklist", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - return response.get("data") - - def delete_blacklist_tags(self, role_tag, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Deletes a blacklisted role tag - - :param role_tag: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{0}/roletag-blacklist/{1}", mount_point, role_tag - ) - return self._adapter.delete( - url=api_path, - ) - - @utils.aliased_parameter( - "saftey_buffer", "safety_buffer", removed_in_version="3.0.0", position=1 - ) - def tidy_blacklist_tags( - self, safety_buffer="72h", mount_point=AWS_DEFAULT_MOUNT_POINT - ): - """Cleans up the entries in the blacklist based on expiration time on the entry and safety_buffer - - :param safety_buffer: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/tidy/roletag-blacklist", mount_point=mount_point - ) - params = { - "safety_buffer": safety_buffer, - } - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_identity_whitelist(self, instance_id, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Returns an entry in the whitelist. An entry will be created/updated by every successful login - - :param instance_id: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{0}/identity-whitelist/{1}", mount_point, instance_id - ) - response = self._adapter.get(url=api_path) - return response.get("data") - - def list_identity_whitelist(self, mount_point=AWS_DEFAULT_MOUNT_POINT): - """Lists all the instance IDs that are in the whitelist of successful logins - - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/identity-whitelist", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - return response.get("data") - - def delete_identity_whitelist_entries( - self, instance_id, mount_point=AWS_DEFAULT_MOUNT_POINT - ): - """Deletes a cache of the successful login from an instance - - :param instance_id: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{0}/identity-whitelist/{1}", mount_point, instance_id - ) - return self._adapter.delete( - url=api_path, - ) - - @utils.aliased_parameter( - "saftey_buffer", "safety_buffer", removed_in_version="3.0.0", position=1 - ) - def tidy_identity_whitelist_entries( - self, safety_buffer="72h", mount_point=AWS_DEFAULT_MOUNT_POINT - ): - """Cleans up the entries in the whitelist based on expiration time and safety_buffer - - :param safety_buffer: - :param mount_point: The path the AWS auth method was mounted on. - :type mount_point: str - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/tidy/identity-whitelist", mount_point=mount_point - ) - params = { - "safety_buffer": safety_buffer, - } - return self._adapter.post(url=api_path, json=params) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/azure.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/azure.py deleted file mode 100644 index a7053fa..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/azure.py +++ /dev/null @@ -1,343 +0,0 @@ -#!/usr/bin/env python -"""Azure auth method module.""" -import logging - -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.constants.azure import VALID_ENVIRONMENTS - -DEFAULT_MOUNT_POINT = "azure" -logger = logging.getLogger(__name__) - - -class Azure(VaultApiBase): - """Azure Auth Method (API). - - Reference: https://www.vaultproject.io/api/auth/azure/index.html - """ - - def configure( - self, - tenant_id, - resource, - environment=None, - client_id=None, - client_secret=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Configure the credentials required for the plugin to perform API calls to Azure. - - These credentials will be used to query the metadata about the virtual machine. - - Supported methods: - POST: /auth/{mount_point}/config. Produces: 204 (empty body) - - :param tenant_id: The tenant id for the Azure Active Directory organization. - :type tenant_id: str | unicode - :param resource: The configured URL for the application registered in Azure Active Directory. - :type resource: str | unicode - :param environment: The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, - AzureChinaCloud, AzureGermanCloud. - :type environment: str | unicode - :param client_id: The client id for credentials to query the Azure APIs. Currently read permissions to query - compute resources are required. - :type client_id: str | unicode - :param client_secret: The client secret for credentials to query the Azure APIs. - :type client_secret: str | unicode - :param mount_point: The "path" the azure auth method was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if environment is not None and environment not in VALID_ENVIRONMENTS: - error_msg = 'invalid environment argument provided: "{arg}"; supported environments: "{environments}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=environment, - environments=",".join(VALID_ENVIRONMENTS), - ) - ) - params = { - "tenant_id": tenant_id, - "resource": resource, - } - params.update( - utils.remove_nones( - { - "environment": environment, - "client_id": client_id, - "client_secret": client_secret, - } - ) - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Return the previously configured config, including credentials. - - Supported methods: - GET: /auth/{mount_point}/config. Produces: 200 application/json - - :param mount_point: The "path" the azure auth method was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def delete_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Delete the previously configured Azure config and credentials. - - Supported methods: - DELETE: /auth/{mount_point}/config. Produces: 204 (empty body) - - :param mount_point: The "path" the azure auth method was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.delete( - url=api_path, - ) - - def create_role( - self, - name, - policies=None, - ttl=None, - max_ttl=None, - period=None, - bound_service_principal_ids=None, - bound_group_ids=None, - bound_locations=None, - bound_subscription_ids=None, - bound_resource_groups=None, - bound_scale_sets=None, - num_uses=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create a role in the method. - - Role types have specific entities that can perform login operations against this endpoint. Constraints specific - to the role type must be set on the role. These are applied to the authenticated entities attempting to login. - - Supported methods: - POST: /auth/{mount_point}/role/{name}. Produces: 204 (empty body) - - - :param name: Name of the role. - :type name: str | unicode - :param policies: Policies to be set on tokens issued using this role. - :type policies: str | list - :param num_uses: Number of uses to set on a token produced by this role. - :type num_uses: int - :param ttl: The TTL period of tokens issued using this role in seconds. - :type ttl: str | unicode - :param max_ttl: The maximum allowed lifetime of tokens issued in seconds using this role. - :type max_ttl: str | unicode - :param period: If set, indicates that the token generated using this role should never expire. The token should - be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the - value of this parameter. - :type period: str | unicode - :param bound_service_principal_ids: The list of Service Principal IDs that login is restricted to. - :type bound_service_principal_ids: list - :param bound_group_ids: The list of group ids that login is restricted to. - :type bound_group_ids: list - :param bound_locations: The list of locations that login is restricted to. - :type bound_locations: list - :param bound_subscription_ids: The list of subscription IDs that login is restricted to. - :type bound_subscription_ids: list - :param bound_resource_groups: The list of resource groups that login is restricted to. - :type bound_resource_groups: list - :param bound_scale_sets: The list of scale set names that the login is restricted to. - :type bound_scale_sets: list - :param mount_point: The "path" the azure auth method was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if policies is not None: - if not ( - isinstance(policies, str) - or ( - isinstance(policies, list) - and all(isinstance(p, str) for p in policies) - ) - ): - error_msg = 'unsupported policies argument provided "{arg}" ({arg_type}), required type: str or List[str]"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=policies, - arg_type=type(policies), - ) - ) - params = utils.remove_nones( - { - "policies": policies, - "ttl": ttl, - "max_ttl": max_ttl, - "period": period, - "bound_service_principal_ids": bound_service_principal_ids, - "bound_group_ids": bound_group_ids, - "bound_locations": bound_locations, - "bound_subscription_ids": bound_subscription_ids, - "bound_resource_groups": bound_resource_groups, - "bound_scale_sets": bound_scale_sets, - "num_uses": num_uses, - } - ) - - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}", mount_point=mount_point, name=name - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Read the previously registered role configuration. - - Supported methods: - GET: /auth/{mount_point}/role/{name}. Produces: 200 application/json - - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the azure auth method was mounted on. - :type mount_point: str | unicode - :return: The "data" key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}", - mount_point=mount_point, - name=name, - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """List all the roles that are registered with the plugin. - - Supported methods: - LIST: /auth/{mount_point}/role. Produces: 200 application/json - - - :param mount_point: The "path" the azure auth method was mounted on. - :type mount_point: str | unicode - :return: The "data" key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role", mount_point=mount_point - ) - response = self._adapter.list(url=api_path) - return response.get("data") - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete the previously registered role. - - Supported methods: - DELETE: /auth/{mount_point}/role/{name}. Produces: 204 (empty body) - - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the azure auth method was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def login( - self, - role, - jwt, - subscription_id=None, - resource_group_name=None, - vm_name=None, - vmss_name=None, - use_token=True, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Fetch a token. - - This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature - to authenticate that entity and then authorizes the entity for the given role. - - Supported methods: - POST: /auth/{mount_point}/login. Produces: 200 application/json - - - :param role: Name of the role against which the login is being attempted. - :type role: str | unicode - :param jwt: Signed JSON Web Token (JWT) from Azure MSI. - :type jwt: str | unicode - :param subscription_id: The subscription ID for the machine that generated the MSI token. This information can - be obtained through instance metadata. - :type subscription_id: str | unicode - :param resource_group_name: The resource group for the machine that generated the MSI token. This information - can be obtained through instance metadata. - :type resource_group_name: str | unicode - :param vm_name: The virtual machine name for the machine that generated the MSI token. This information can be - obtained through instance metadata. If vmss_name is provided, this value is ignored. - :type vm_name: str | unicode - :param vmss_name: The virtual machine scale set name for the machine that generated the MSI token. This - information can be obtained through instance metadata. - :type vmss_name: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The "path" the azure auth method was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "role": role, - "jwt": jwt, - } - params.update( - utils.remove_nones( - { - "subscription_id": subscription_id, - "resource_group_name": resource_group_name, - "vm_name": vm_name, - "vmss_name": vmss_name, - } - ) - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/login", mount_point=mount_point - ) - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/cert.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/cert.py deleted file mode 100644 index e9c832e..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/cert.py +++ /dev/null @@ -1,328 +0,0 @@ -#!/usr/bin/env python -"""Cert methods module.""" -import os -import warnings - -from hvac.api.vault_api_base import VaultApiBase -from hvac.utils import validate_pem_format -from hvac import exceptions, utils - - -class Cert(VaultApiBase): - """Cert Auth Method (API). - - Reference: https://www.vaultproject.io/api/auth/cert/index.html - """ - - def create_ca_certificate_role( - self, - name, - certificate="", - certificate_file="", - allowed_common_names="", - allowed_dns_sans="", - allowed_email_sans="", - allowed_uri_sans="", - allowed_organizational_units="", - required_extensions="", - display_name="", - token_ttl=0, - token_max_ttl=0, - token_policies=[], - token_bound_cidrs=[], - token_explicit_max_ttl=0, - token_no_default_policy=False, - token_num_uses=0, - token_period=0, - token_type="", - mount_point="cert", - ): - """Create CA Certificate Role. - - Sets a CA cert and associated parameters in a role name. - - Supported methods: - POST: /auth//certs/:name. Produces: 204 (empty body) - - :param name: The name of the certificate role. - :type name: str - :param certificate: The PEM-format CA certificate. Either certificate or certificate_file is required. - NOTE: Passing a certificate file path with the certificate argument is deprecated and will be dropped in - version 3.0.0 - :type certificate: str - :param certificate_file: File path to the PEM-format CA certificate. Either certificate_file or certificate is - required. - :type certificate_file: str - :param allowed_common_names: Constrain the Common Names in the client certificate with a globbed pattern. Value - is a comma-separated list of patterns. Authentication requires at least one Name matching at least one - pattern. If not set, defaults to allowing all names. - :type allowed_common_names: str | list - :param allowed_dns_sans: Constrain the Alternative Names in the client certificate with a globbed pattern. Value - is a comma-separated list of patterns. Authentication requires at least one DNS matching at least one pattern. - If not set, defaults to allowing all dns. - :type allowed_dns_sans: str | list - :param allowed_email_sans: Constrain the Alternative Names in the client certificate with a globbed pattern. - Value is a comma-separated list of patterns. Authentication requires at least one Email matching at least - one pattern. If not set, defaults to allowing all emails. - :type allowed_email_sans: str | list - :param allowed_uri_sans: Constrain the Alternative Names in the client certificate with a globbed pattern. - Value is a comma-separated list of URI patterns. Authentication requires at least one URI matching at least - one pattern. If not set, defaults to allowing all URIs. - :type allowed_uri_sans: str | list - :param allowed_organizational_units: Constrain the Organizational Units (OU) in the client certificate with a - globbed pattern. Value is a comma-separated list of OU patterns. Authentication requires at least one OU - matching at least one pattern. If not set, defaults to allowing all OUs. - :type allowed_organizational_units: str | list - :param required_extensions: Require specific Custom Extension OIDs to exist and match the pattern. Value is a - comma separated string or array of oid:value. Expects the extension value to be some type of ASN1 encoded - string. All conditions must be met. Supports globbing on value. - :type required_extensions: str | list - :param display_name: The display_name to set on tokens issued when authenticating against this CA certificate. - If not set, defaults to the name of the role. - :type display_name: str | unicode - :param token_ttl: The incremental lifetime for generated tokens. This current value of this will be referenced - at renewal time. - :type token_ttl: int | str - :param token_max_ttl: The maximum lifetime for generated tokens. This current value of this will be referenced - at renewal time. - :type token_max_ttl: int | str - :param token_policies: List of policies to encode onto generated tokens. Depending on the auth method, this list - may be supplemented by user/group/other values. - :type token_policies: list | str - :param token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate - successfully, and ties the resulting token to these blocks as well. - :type token_bound_cidrs: list | str - :param token_explicit_max_ttl: If set, will encode an explicit max TTL onto the token. This is a hard cap even - if token_ttl and token_max_ttl would otherwise allow a renewal. - :type token_explicit_max_ttl: int | str - :param token_no_default_policy: If set, the default policy will not be set on generated tokens; otherwise it - will be added to the policies set in token_policies. - :type token_no_default_policy: bool - :param token_num_uses: The maximum number of times a generated token may be used (within its lifetime); 0 means - unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0. - :type token_num_uses: int - :param token_period: The period, if any, to set on the token. - :type token_period: int | str - :param token_type: The type of token that should be generated. Can be service, batch, or default to use the - mount's tuned default (which unless changed will be service tokens). For token store roles, there are two - additional possibilities: default-service and default-batch which specify the type to return unless the - client requests a different type at generation time. - :type token_type: str - :param mount_point: - :type mount_point: - """ - if certificate: - try: - utils.validate_pem_format("", certificate) - cert = certificate - except exceptions.ParamValidationError: - with open(certificate) as f_cert: - warnings.warn( - "Passing a certificate file path to `certificate` is deprecated and will be removed in v3.0.0;" - "use `certificate_file` instead. (See https://github.com/hvac/hvac/issues/914)" - ) - cert = f_cert.read() - elif certificate_file: - with open(certificate_file) as f_cert: - cert = f_cert.read() - else: - raise exceptions.ParamValidationError( - "`certificate` or `certificate_file` must be provided" - ) - - params = utils.remove_nones( - { - "name": name, - "certificate": cert, - "allowed_common_names": allowed_common_names, - "allowed_dns_sans": allowed_dns_sans, - "allowed_email_sans": allowed_email_sans, - "allowed_uri_sans": allowed_uri_sans, - "allowed_organizational_units": allowed_organizational_units, - "required_extensions": required_extensions, - "display_name": display_name, - "token_ttl": token_ttl, - "token_max_ttl": token_max_ttl, - "token_policies": token_policies, - "token_bound_cidrs": token_bound_cidrs, - "token_explicit_max_ttl": token_explicit_max_ttl, - "token_no_default_policy": token_no_default_policy, - "token_num_uses": token_num_uses, - "token_period": token_period, - "token_type": token_type, - } - ) - - api_path = "/v1/auth/{mount_point}/certs/{name}".format( - mount_point=mount_point, name=name - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_ca_certificate_role(self, name, mount_point="cert"): - """ - Gets information associated with the named role. - - Supported methods: - GET: /auth//certs/{name}. Produces: 200 application/json - - :param name: The name of the certificate role - :type name: str | unicode - :param mount_point: - :type mount_point: - :return: The JSON response of the read_ca_certificate_role request. - :rtype: dict - """ - params = { - "name": name, - } - api_path = "/v1/auth/{mount_point}/certs/{name}".format( - mount_point=mount_point, name=name - ) - return self._adapter.get( - url=api_path, - json=params, - ) - - def list_certificate_roles(self, mount_point="cert"): - """ - Lists configured certificate names. - - Supported methods: - LIST: /auth//certs. Produces: 200 application/json - - :param mount_point: - :type mount_point: - :return: The response of the list_certificate request. - :rtype: requests.Response - """ - api_path = f"/v1/auth/{mount_point}/certs" - return self._adapter.list(url=api_path) - - def delete_certificate_role(self, name, mount_point="cert"): - """ - List existing LDAP existing groups that have been created in this auth method. - - Supported methods: - DELETE: /auth/{mount_point}/groups. Produces: 204 (empty body) - - :param name: The name of the certificate role. - :type name: str | unicode - :param mount_point: - :type mount_point: - """ - api_path = "/v1/auth/{mount_point}/certs/{name}".format( - mount_point=mount_point, name=name - ) - return self._adapter.delete( - url=api_path, - ) - - def configure_tls_certificate(self, mount_point="cert", disable_binding=False): - """ - Configure options for the method. - - Supported methods: - POST: /auth//config. Produces: 204 (empty body) - - - :param disable_binding: If set, during renewal, skips the matching of presented client identity with the client - identity used during login. - :type disable_binding: bool - :param mount_point: - :type mount_point: - """ - params = { - "disable_binding": disable_binding, - } - api_path = f"/v1/auth/{mount_point}/config" - return self._adapter.post( - url=api_path, - json=params, - ) - - def login( - self, - name="", - cacert=False, - cert_pem="", - key_pem="", - mount_point="cert", - use_token=True, - ): - """ - Log in and fetch a token. If there is a valid chain to a CA configured in the method and all role constraints - are matched, a token will be issued. If the certificate has DNS SANs in it, each of those will be verified. - If Common Name is required to be verified, then it should be a fully qualified DNS domain name and must be - duplicated as a DNS SAN - - Supported methods: - POST: /auth//login Produces: 200 application/json - - :param name: Authenticate against only the named certificate role, returning its policy list if successful. If - not set, defaults to trying all certificate roles and returning any one that matches. - :type name: str | unicode - :param cacert: The value used here is for the Vault TLS Listener CA certificate, not the CA that issued the - client authentication certificate. This can be omitted if the CA used to issue the Vault server certificate - is trusted by the local system executing this command. - :type cacert: str | bool - :param cert_pem: Location of the cert.pem used to authenticate the host. - :tupe cert_pem: str | unicode - :param key_pem: Location of the public key.pem used to authenticate the host. - :param key_pem: str | unicode - :param mount_point: - :type mount_point: - :param use_token: If the returned token is stored in the client - :param use_token: bool - :return: The response of the login request. - :rtype: requests.Response - """ - params = {} - if name != "": - params["name"] = name - api_path = f"/v1/auth/{mount_point}/login" - - # Must have cert checking or a CA cert. This is caught lower down but harder to grok - if not cacert: - # If a cacert is not provided try to drop down to the adapter and get the cert there. - # If the cacert is not in the adapter already login will also. - if not self._adapter._kwargs.get("verify"): - raise self.CertificateAuthError( - "cacert must be True, a file_path, or valid CA Certificate." - ) - else: - cacert = self._adapter._kwargs.get("verify") - else: - validate_pem_format("verify", cacert) - # if cert_pem is a string its ready to be used and either has the key with it or the key is provided as an arg - try: - if validate_pem_format("cert_pem", cert_pem): - tls_update = True - except exceptions.ParamValidationError: - tls_update = {} - if not (os.path.exists(cert_pem) or self._adapter._kwargs.get("cert")): - raise FileNotFoundError("Can't find the certificate.") - try: - tls_parts = {"cert_pem": cert_pem, "key_pem": key_pem} - for tls_part in tls_parts: - if tls_parts[tls_part] != "": - tls_update[tls_part] = tls_parts[tls_part] - except ValueError: - tls_update = True - - additional_request_kwargs = {} - if tls_update: - additional_request_kwargs = { - "verify": cacert, - # need to define dict as cert is a tuple - "cert": tuple([cert_pem, key_pem]), - } - - return self._adapter.login( - url=api_path, use_token=use_token, json=params, **additional_request_kwargs - ) - - class CertificateAuthError(Exception): - pass diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/gcp.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/gcp.py deleted file mode 100644 index 072c172..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/gcp.py +++ /dev/null @@ -1,463 +0,0 @@ -#!/usr/bin/env python -"""GCP methods module.""" -import logging - -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.constants.gcp import ALLOWED_ROLE_TYPES, GCP_CERTS_ENDPOINT -from hvac.utils import validate_list_of_strings_param, list_to_comma_delimited - -DEFAULT_MOUNT_POINT = "gcp" - -logger = logging.getLogger(__name__) - - -class Gcp(VaultApiBase): - """Google Cloud Auth Method (API). - - Reference: https://www.vaultproject.io/api/auth/{mount_point}/index.html - """ - - def configure( - self, - credentials=None, - google_certs_endpoint=GCP_CERTS_ENDPOINT, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Configure the credentials required for the GCP auth method to perform API calls to Google Cloud. - - These credentials will be used to query the status of IAM entities and get service account or other Google - public certificates to confirm signed JWTs passed in during login. - - Supported methods: - POST: /auth/{mount_point}/config. Produces: 204 (empty body) - - - :param credentials: A JSON string containing the contents of a GCP credentials file. The credentials file must - have the following permissions: `iam.serviceAccounts.get`, `iam.serviceAccountKeys.get`. - If this value is empty, Vault will try to use Application Default Credentials from the machine on which the - Vault server is running. The project must have the iam.googleapis.com API enabled. - :type credentials: str | unicode - :param google_certs_endpoint: The Google OAuth2 endpoint from which to obtain public certificates. This is used - for testing and should generally not be set by end users. - :type google_certs_endpoint: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "credentials": credentials, - "google_certs_endpoint": google_certs_endpoint, - } - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Read the configuration, if any, including credentials. - - Supported methods: - GET: /auth/{mount_point}/config. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def delete_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Delete all GCP configuration data. This operation is idempotent. - - Supported methods: - DELETE: /auth/{mount_point}/config. Produces: 204 (empty body) - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.delete( - url=api_path, - ) - - def create_role( - self, - name, - role_type, - project_id, - ttl=None, - max_ttl=None, - period=None, - policies=None, - bound_service_accounts=None, - max_jwt_exp=None, - allow_gce_inference=None, - bound_zones=None, - bound_regions=None, - bound_instance_groups=None, - bound_labels=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Register a role in the GCP auth method. - - Role types have specific entities that can perform login operations against this endpoint. Constraints specific - to the role type must be set on the role. These are applied to the authenticated entities attempting to - login. - - Supported methods: - POST: /auth/{mount_point}/role/{name}. Produces: 204 (empty body) - - - :param name: The name of the role. - :type name: str | unicode - :param role_type: The type of this role. Certain fields correspond to specific roles and will be rejected - otherwise. - :type role_type: str | unicode - :param project_id: The GCP project ID. Only entities belonging to this project can authenticate with this role. - :type project_id: str | unicode - :param ttl: The TTL period of tokens issued using this role. This can be specified as an integer number of - seconds or as a duration value like "5m". - :type ttl: str | unicode - :param max_ttl: The maximum allowed lifetime of tokens issued in seconds using this role. This can be specified - as an integer number of seconds or as a duration value like "5m". - :type max_ttl: str | unicode - :param period: If set, indicates that the token generated using this role should never expire. The token should - be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the - value of this parameter. This can be specified as an integer number of seconds or as a duration value like - "5m". - :type period: str | unicode - :param policies: The list of policies to be set on tokens issued using this role. - :type policies: list - :param bound_service_accounts: A list of service account emails or IDs that login is - restricted to. If set to `*`, all service accounts are allowed (role will still be bound by project). Will be - inferred from service account used to issue metadata token for GCE instances. - :type bound_service_accounts: list - :param max_jwt_exp: The number of seconds past the time of authentication that the login param JWT - must expire within. For example, if a user attempts to login with a token that expires within an hour and - this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a - shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized. - :type max_jwt_exp: str | unicode - :param allow_gce_inference: A flag to determine if this role should allow GCE instances to - authenticate by inferring service accounts from the GCE identity metadata token. - :type allow_gce_inference: bool - :param bound_zones: The list of zones that a GCE instance must belong to in order to be - authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must - belong to this zone. - :type bound_zones: list - :param bound_regions: The list of regions that a GCE instance must belong to in order to be - authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group - must belong to this region. If bound_zones are provided, this attribute is ignored. - :type bound_regions: list - :param bound_instance_groups: The instance groups that an authorized instance must belong to in - order to be authenticated. If specified, either bound_zones or bound_regions must be set too. - :type bound_instance_groups: list - :param bound_labels: A list of GCP labels formatted as "key:value" strings that must be set on - authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in - conjunction with other restrictions. - :type bound_labels: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: requests.Response - """ - type_specific_params = { - "iam": { - "max_jwt_exp": None, - "allow_gce_inference": None, - }, - "gce": { - "bound_zones": None, - "bound_regions": None, - "bound_instance_groups": None, - "bound_labels": None, - }, - } - - list_of_strings_params = { - "policies": policies, - "bound_service_accounts": bound_service_accounts, - "bound_zones": bound_zones, - "bound_regions": bound_regions, - "bound_instance_groups": bound_instance_groups, - "bound_labels": bound_labels, - } - for param_name, param_argument in list_of_strings_params.items(): - validate_list_of_strings_param( - param_name=param_name, - param_argument=param_argument, - ) - - if role_type not in ALLOWED_ROLE_TYPES: - error_msg = 'unsupported role_type argument provided "{arg}", supported types: "{role_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=type, - role_types=",".join(ALLOWED_ROLE_TYPES), - ) - ) - - params = { - "type": role_type, - "project_id": project_id, - "policies": list_to_comma_delimited(policies), - } - params.update( - utils.remove_nones( - { - "ttl": ttl, - "max_ttl": max_ttl, - "period": period, - } - ) - ) - if bound_service_accounts is not None: - params["bound_service_accounts"] = list_to_comma_delimited( - bound_service_accounts - ) - if role_type == "iam": - params.update( - utils.remove_nones( - { - "max_jwt_exp": max_jwt_exp, - "allow_gce_inference": allow_gce_inference, - } - ) - ) - for param, default_arg in type_specific_params["gce"].items(): - if locals().get(param) != default_arg: - warning_msg = 'Argument for parameter "{param}" ignored for role type iam'.format( - param=param - ) - logger.warning(warning_msg) - elif role_type == "gce": - if bound_zones is not None: - params["bound_zones"] = list_to_comma_delimited(bound_zones) - if bound_regions is not None: - params["bound_regions"] = list_to_comma_delimited(bound_regions) - if bound_instance_groups is not None: - params["bound_instance_groups"] = list_to_comma_delimited( - bound_instance_groups - ) - if bound_labels is not None: - params["bound_labels"] = list_to_comma_delimited(bound_labels) - for param, default_arg in type_specific_params["iam"].items(): - if locals().get(param) != default_arg: - warning_msg = 'Argument for parameter "{param}" ignored for role type gce'.format( - param=param - ) - logger.warning(warning_msg) - - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def edit_service_accounts_on_iam_role( - self, name, add=None, remove=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Edit service accounts for an existing IAM role in the GCP auth method. - - This allows you to add or remove service accounts from the list of service accounts on the role. - - Supported methods: - POST: /auth/{mount_point}/role/{name}/service-accounts. Produces: 204 (empty body) - - - :param name: The name of an existing iam type role. This will return an error if role is not an iam type role. - :type name: str | unicode - :param add: The list of service accounts to add to the role's service accounts. - :type add: list - :param remove: The list of service accounts to remove from the role's service accounts. - :type remove: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "add": add, - "remove": remove, - } - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}/service-accounts", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def edit_labels_on_gce_role( - self, name, add=None, remove=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Edit labels for an existing GCE role in the backend. - - This allows you to add or remove labels (keys, values, or both) from the list of keys on the role. - - Supported methods: - POST: /auth/{mount_point}/role/{name}/labels. Produces: 204 (empty body) - - - :param name: The name of an existing gce role. This will return an error if role is not a gce type role. - :type name: str | unicode - :param add: The list of key:value labels to add to the GCE role's bound labels. - :type add: list - :param remove: The list of label keys to remove from the role's bound labels. If any of the specified keys do - not exist, no error is returned (idempotent). - :type remove: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the edit_labels_on_gce_role request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "add": add, - "remove": remove, - } - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}/labels", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Read the previously registered role configuration. - - Supported methods: - GET: /auth/{mount_point}/role/{name}. Produces: 200 application/json - - - :param name: The name of the role to read. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the read_role request. - :rtype: JSON - """ - params = { - "name": name, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}", - mount_point=mount_point, - name=name, - ) - response = self._adapter.get( - url=api_path, - json=params, - ) - return response.get("data") - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """List all the roles that are registered with the plugin. - - Supported methods: - LIST: /auth/{mount_point}/roles. Produces: 200 application/json - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/roles", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - return response.get("data") - - def delete_role(self, role, mount_point=DEFAULT_MOUNT_POINT): - """Delete the previously registered role. - - Supported methods: - DELETE: /auth/{mount_point}/role/{role}. Produces: 204 (empty body) - - - :param role: The name of the role to delete. - :type role: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "role": role, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{role}", - mount_point=mount_point, - role=role, - ) - return self._adapter.delete( - url=api_path, - json=params, - ) - - def login(self, role, jwt, use_token=True, mount_point=DEFAULT_MOUNT_POINT): - """Login to retrieve a Vault token via the GCP auth method. - - This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT - signature with Google Cloud to authenticate that entity and then authorizes the entity for the given role. - - Supported methods: - POST: /auth/{mount_point}/login. Produces: 200 application/json - - - :param role: The name of the role against which the login is being attempted. - :type role: str | unicode - :param jwt: A signed JSON web token - :type jwt: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "role": role, - "jwt": jwt, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/login", mount_point=mount_point - ) - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/github.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/github.py deleted file mode 100644 index 165d36e..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/github.py +++ /dev/null @@ -1,241 +0,0 @@ -#!/usr/bin/env python -"""Github methods module.""" -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "github" - - -class Github(VaultApiBase): - """GitHub Auth Method (API). - - Reference: https://www.vaultproject.io/api/auth/github/index.html - """ - - def configure( - self, - organization, - base_url=None, - ttl=None, - max_ttl=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Configure the connection parameters for GitHub. - - This path honors the distinction between the create and update capabilities inside ACL policies. - - Supported methods: - POST: /auth/{mount_point}/config. Produces: 204 (empty body) - - - :param organization: The organization users must be part of. - :type organization: str | unicode - :param base_url: The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible - authentication server. - :type base_url: str | unicode - :param ttl: Duration after which authentication will be expired. - :type ttl: str | unicode - :param max_ttl: Maximum duration after which authentication will - be expired. - :type max_ttl: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the configure_method request. - :rtype: requests.Response - """ - params = { - "organization": organization, - } - params.update( - utils.remove_nones( - { - "base_url": base_url, - "ttl": ttl, - "max_ttl": max_ttl, - } - ) - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", - mount_point=mount_point, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_configuration(self, mount_point=DEFAULT_MOUNT_POINT): - """Read the GitHub configuration. - - Supported methods: - GET: /auth/{mount_point}/config. Produces: 200 application/json - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_configuration request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", - mount_point=mount_point, - ) - return self._adapter.get(url=api_path) - - def map_team(self, team_name, policies=None, mount_point=DEFAULT_MOUNT_POINT): - """Map a list of policies to a team that exists in the configured GitHub organization. - - Supported methods: - POST: /auth/{mount_point}/map/teams/{team_name}. Produces: 204 (empty body) - - - :param team_name: GitHub team name in "slugified" format - :type team_name: str | unicode - :param policies: Comma separated list of policies to assign - :type policies: List[str] - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the map_github_teams request. - :rtype: requests.Response - """ - # First, perform parameter validation. - if policies is None: - policies = [] - if not isinstance(policies, list) or not all( - isinstance(p, str) for p in policies - ): - error_msg = 'unsupported policies argument provided "{arg}" ({arg_type}), required type: List[str]"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=policies, - arg_type=type(policies), - ) - ) - # Then, perform request. - params = { - "value": ",".join(policies), - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/map/teams/{team_name}", - mount_point=mount_point, - team_name=team_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_team_mapping(self, team_name, mount_point=DEFAULT_MOUNT_POINT): - """Read the GitHub team policy mapping. - - Supported methods: - GET: /auth/{mount_point}/map/teams/{team_name}. Produces: 200 application/json - - - :param team_name: GitHub team name - :type team_name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_team_mapping request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/map/teams/{team_name}", - mount_point=mount_point, - team_name=team_name, - ) - return self._adapter.get(url=api_path) - - def map_user(self, user_name, policies=None, mount_point=DEFAULT_MOUNT_POINT): - """Map a list of policies to a specific GitHub user exists in the configured organization. - - Supported methods: - POST: /auth/{mount_point}/map/users/{user_name}. Produces: 204 (empty body) - - - :param user_name: GitHub user name - :type user_name: str | unicode - :param policies: Comma separated list of policies to assign - :type policies: List[str] - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the map_github_users request. - :rtype: requests.Response - """ - # First, perform parameter validation. - if policies is None: - policies = [] - if not isinstance(policies, list) or not all( - isinstance(p, str) for p in policies - ): - error_msg = 'unsupported policies argument provided "{arg}" ({arg_type}), required type: List[str]"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=policies, - arg_type=type(policies), - ) - ) - - # Then, perform request. - params = { - "value": ",".join(policies), - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/map/users/{user_name}", - mount_point=mount_point, - user_name=user_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_user_mapping(self, user_name, mount_point=DEFAULT_MOUNT_POINT): - """Read the GitHub user policy mapping. - - Supported methods: - GET: /auth/{mount_point}/map/users/{user_name}. Produces: 200 application/json - - - :param user_name: GitHub user name - :type user_name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_user_mapping request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/map/users/{user_name}", - mount_point=mount_point, - user_name=user_name, - ) - return self._adapter.get(url=api_path) - - def login(self, token, use_token=True, mount_point=DEFAULT_MOUNT_POINT): - """Login using GitHub access token. - - Supported methods: - POST: /auth/{mount_point}/login. Produces: 200 application/json - - - :param token: GitHub personal API token. - :type token: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the login request. - :rtype: dict - """ - params = { - "token": token, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/login", mount_point=mount_point - ) - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/jwt.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/jwt.py deleted file mode 100644 index 8acc59b..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/jwt.py +++ /dev/null @@ -1,457 +0,0 @@ -#!/usr/bin/env python -"""JWT/OIDC methods module.""" -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - - -class JWT(VaultApiBase): - """JWT auth method which can be used to authenticate with Vault by providing a JWT. - - The OIDC method allows authentication via a configured OIDC provider using the user's web browser. - This method may be initiated from the Vault UI or the command line. Alternatively, a JWT can be provided directly. - The JWT is cryptographically verified using locally-provided keys, or, if configured, an OIDC Discovery service can - be used to fetch the appropriate keys. The choice of method is configured per role. - - Reference: https://www.vaultproject.io/api/auth/jwt - """ - - DEFAULT_PATH = "jwt" - - def resolve_path(self, path): - """Return the class's default path if no explicit path is specified. - - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :return: The default path for this auth method if no explicit path is specified. - :rtype: str - """ - return path if path is not None else self.DEFAULT_PATH - - def configure( - self, - oidc_discovery_url=None, - oidc_discovery_ca_pem=None, - oidc_client_id=None, - oidc_client_secret=None, - oidc_response_mode=None, - oidc_response_types=None, - jwks_url=None, - jwks_ca_pem=None, - jwt_validation_pubkeys=None, - bound_issuer=None, - jwt_supported_algs=None, - default_role=None, - provider_config=None, - path=None, - namespace_in_state=None, - ): - """Configure the validation information to be used globally across all roles. - - One (and only one) of oidc_discovery_url and jwt_validation_pubkeys must be set. - - Supported methods: - POST: /auth/{path}/config. - - :param oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be - used with "jwks_url" or "jwt_validation_pubkeys". - :type oidc_discovery_url: str | unicode - :param oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate - connections to the OIDC Discovery URL. If not set, system certificates are used. - :type oidc_discovery_ca_pem: str | unicode - :param oidc_client_id: The OAuth Client ID from the provider for OIDC roles. - :type oidc_client_id: str | unicode - :param oidc_client_secret: The OAuth Client Secret from the provider for OIDC roles. - :type oidc_client_secret: str | unicode - :param oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are "query" and - form_post". Defaults to "query". - :type oidc_response_mode: str | unicode - :param oidc_response_types: The response types to request. Allowed values are "code" and "id_token". Defaults - to "code". Note: "id_token" may only be used if "oidc_response_mode" is set to "form_post". - :type oidc_response_types: str | unicode - :param jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or - "jwt_validation_pubkeys". - :type jwks_url: str | unicode - :param jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections - to the JWKS URL. If not set, system certificates are used. - :type jwks_ca_pem: str | unicode - :param jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. - Cannot be used with "jwks_url" or "oidc_discovery_url". - :type jwt_validation_pubkeys: str | unicode - :param bound_issuer: in a JWT. - :type bound_issuer: str | unicode - :param jwt_supported_algs: A list of supported signing algorithms. Defaults to [RS256]. - :type jwt_supported_algs: str | unicode - :param default_role: The default role to use if none is provided during login. - :type default_role: str | unicode - :param provider_config: TypeError - :type provider_config: map - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :param namespace_in_state: With this setting, the allowed redirect URL(s) in Vault and on the provider side - should not contain a namespace query parameter. - :type namespace_in_state: bool - :return: The response of the configure request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "oidc_discovery_url": oidc_discovery_url, - "oidc_discovery_ca_pem": oidc_discovery_ca_pem, - "oidc_client_id": oidc_client_id, - "oidc_client_secret": oidc_client_secret, - "oidc_response_mode": oidc_response_mode, - "oidc_response_types": oidc_response_types, - "jwks_url": jwks_url, - "jwks_ca_pem": jwks_ca_pem, - "jwt_validation_pubkeys": jwt_validation_pubkeys, - "bound_issuer": bound_issuer, - "jwt_supported_algs": jwt_supported_algs, - "default_role": default_role, - "provider_config": provider_config, - "namespace_in_state": namespace_in_state, - } - ) - api_path = utils.format_url( - "/v1/auth/{path}/config", - path=self.resolve_path(path), - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_config(self, path=None): - """Read the previously configured config. - - Supported methods: - GET: /auth/{path}/config. - - :return: The response of the read_config request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{path}/config", - path=self.resolve_path(path), - ) - return self._adapter.get( - url=api_path, - ) - - def create_role( - self, - name, - user_claim, - allowed_redirect_uris, - role_type="jwt", - bound_audiences=None, - clock_skew_leeway=None, - expiration_leeway=None, - not_before_leeway=None, - bound_subject=None, - bound_claims=None, - groups_claim=None, - claim_mappings=None, - oidc_scopes=None, - bound_claims_type="string", - verbose_oidc_logging=False, - token_ttl=None, - token_max_ttl=None, - token_policies=None, - token_bound_cidrs=None, - token_explicit_max_ttl=None, - token_no_default_policy=None, - token_num_uses=None, - token_period=None, - token_type=None, - path=None, - user_claim_json_pointer=None, - ): - """Register a role in the JWT method. - - Role types have specific entities that can perform login operations against this endpoint. Constraints - specific to the role type must be set on the role. These are applied to the authenticated entities - attempting to login. At least one of the bound values must be set. - - Supported methods: - POST: /auth/{path}/role/:name. - - :param name: Name of the role. - :type name: str | unicode - :param role_type: Type of role, either "oidc" or "jwt" (default). - :type role_type: str | unicode - :param bound_audiences: List of aud claims to match against. Any match is sufficient. - Required for "jwt" roles, optional for "oidc" roles. - :type bound_audiences: list - :param user_claim: The claim to use to uniquely identify the user; this will be used as the name for the - Identity entity alias created due to a successful login. The interpretation of the user claim - is configured with ``user_claim_json_pointer``. If set to ``True``, ``user_claim`` supports JSON pointer syntax - for referencing a claim. The claim value must be a string. - :type user_claim: str | unicode - :param clock_skew_leeway: Only applicable with "jwt" roles. - :type clock_skew_leeway: int - :param expiration_leeway: Only applicable with "jwt" roles. - :type expiration_leeway: int - :param not_before_leeway: Only applicable with "jwt" roles. - :type not_before_leeway: int - :param bound_subject: If set, requires that the sub claim matches this value. - :type bound_subject: str | unicode - :param bound_claims: If set, a dict of claims (keys) to match against respective claim values (values). - The expected value may be a single string or a list of strings. The interpretation of the bound claim - values is configured with bound_claims_type. Keys support JSON pointer syntax for referencing claims. - :type bound_claims: dict - :param groups_claim: The claim to use to uniquely identify the set of groups to which the user belongs; this - will be used as the names for the Identity group aliases created due to a successful login. The claim value - must be a list of strings. Supports JSON pointer syntax for referencing claims. - :type groups_claim: str | unicode - :param claim_mappings: If set, a map of claims (keys) to be copied to specified metadata fields (values). Keys - support JSON pointer syntax for referencing claims. - :type claim_mappings: map - :param oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role. - The standard scope "openid" is automatically included and need not be specified. - :type oidc_scopes: list - :param allowed_redirect_uris: The list of allowed values for redirect_uri - during OIDC logins. - :type allowed_redirect_uris: list - :param bound_claims_type: Configures the interpretation of the bound_claims values. If "string" (the default), - the values will treated as string literals and must match exactly. If set to "glob", the values will be - interpreted as globs, with * matching any number of characters. - :type bound_claims_type: str | unicode - :param verbose_oidc_logging: Log received OIDC tokens and claims when debug-level - logging is active. Not recommended in production since sensitive information may be present - in OIDC responses. - :type verbose_oidc_logging: bool - :param token_ttl: The incremental lifetime for generated tokens. This current value of this will be referenced - at renewal time. - :type token_ttl: int | str - :param token_max_ttl: The maximum lifetime for generated tokens. This current value of this will be referenced - at renewal time. - :type token_max_ttl: int | str - :param token_policies: List of policies to encode onto generated tokens. Depending on the auth method, this - list may be supplemented by user/group/other values. - :type token_policies: list[str] - :param token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate - successfully, and ties the resulting token to these blocks as well. - :type token_bound_cidrs: list[str] - :param token_explicit_max_ttl: If set, will encode an explicit max TTL onto the token. This is a hard cap - even if token_ttl and token_max_ttl would otherwise allow a renewal. - :type token_explicit_max_ttl: int | str - :param token_no_default_policy: If set, the default policy will not be set on generated tokens; otherwise it - will be added to the policies set in token_policies. - :type token_no_default_policy: bool - :param token_num_uses: The maximum number of times a generated token may be used (within its lifetime); 0 means - unlimited. If you require the token to have the ability to create child tokens, you will need to set this - value to 0. - :type token_num_uses: str | unicode - :param token_period: The period, if any, to set on the token. - :type token_period: int | str - :param token_type: The type of token that should be generated. Can be service, batch, or default. - :type token_type: str - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :param user_claim_json_pointer: Specifies if the ``user_claim`` value uses JSON pointer syntax for referencing claims. - By default, the ``user_claim`` value will not use JSON pointer. - :type user_claim_json_pointer: bool - :return: The response of the create_role request. - :rtype: dict - """ - params = utils.remove_nones( - { - "name": name, - "role_type": role_type, - "bound_audiences": bound_audiences, - "user_claim": user_claim, - "clock_skew_leeway": clock_skew_leeway, - "expiration_leeway": expiration_leeway, - "not_before_leeway": not_before_leeway, - "bound_subject": bound_subject, - "bound_claims": bound_claims, - "groups_claim": groups_claim, - "claim_mappings": claim_mappings, - "oidc_scopes": oidc_scopes, - "allowed_redirect_uris": allowed_redirect_uris, - "bound_claims_type": bound_claims_type, - "verbose_oidc_logging": verbose_oidc_logging, - "token_ttl": token_ttl, - "token_max_ttl": token_max_ttl, - "token_policies": token_policies, - "token_bound_cidrs": token_bound_cidrs, - "token_explicit_max_ttl": token_explicit_max_ttl, - "token_no_default_policy": token_no_default_policy, - "token_num_uses": token_num_uses, - "token_period": token_period, - "token_type": token_type, - "user_claim_json_pointer": user_claim_json_pointer, - } - ) - api_path = utils.format_url( - "/v1/auth/{path}/role/{name}", - path=self.resolve_path(path), - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, path=None): - """Read the previously registered role configuration. - - Supported methods: - GET: /auth/{path}/role/:name. - - :param name: Name of the role. - :type name: str | unicode - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :return: The response of the read_role request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{path}/role/{name}", - path=self.resolve_path(path), - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_roles(self, path=None): - """List all the roles that are registered with the plugin. - - Supported methods: - LIST: /auth/{path}/role. - - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :return: The response of the list_roles request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{path}/role", - path=self.resolve_path(path), - ) - return self._adapter.list( - url=api_path, - ) - - def delete_role(self, name, path=None): - """Delete the previously registered role. - - Supported methods: - DELETE: /auth/{path}/role/:name. - - :param name: Name of the role. - :type name: str | unicode - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :return: The response of the delete_role request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{path}/role/{name}", - path=self.resolve_path(path), - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def oidc_authorization_url_request(self, role, redirect_uri, path=None): - """Obtain an authorization URL from Vault to start an OIDC login flow. - - Supported methods: - POST: /auth/{path}/auth_url. - - :param role: not provided. - :type role: str | unicode - :param redirect_uri: more information. - :type redirect_uri: str | unicode - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :return: The response of the _authorization_url_request request. - :rtype: requests.Response - """ - params = { - "role": role, - "redirect_uri": redirect_uri, - } - api_path = utils.format_url( - "/v1/auth/{path}/oidc/auth_url", - path=self.resolve_path(path), - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def oidc_callback(self, state, nonce, code, path=None): - """Exchange an authorization code for an OIDC ID Token. - - The ID token will be further validated against any bound claims, and if valid a Vault token will be returned. - - Supported methods: - GET: /auth/{path}/callback. - - :param state: Opaque state ID that is part of the Authorization URL and will - be included in the the redirect following successful authentication on the provider. - :type state: str | unicode - :param nonce: Opaque nonce that is part of the Authorization URL and will - be included in the the redirect following successful authentication on the provider. - :type nonce: str | unicode - :param code: Provider-generated authorization code that Vault will exchange for - an ID token. - :type code: str | unicode - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :return: The response of the _callback request. - :rtype: requests.Response - """ - params = { - "state": state, - "nonce": nonce, - "code": code, - } - api_path = utils.format_url( - "/v1/auth/{path}/oidc/callback?state={state}&nonce={nonce}&code={code}", - path=self.resolve_path(path), - state=state, - nonce=nonce, - code=code, - ) - return self._adapter.get( - url=api_path, - json=params, - ) - - def jwt_login(self, role, jwt, use_token=True, path=None): - """Fetch a token. - - This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. - It verifies the JWT signature to authenticate that entity and then authorizes the - entity for the given role. - - Supported methods: - POST: /auth/{path}/login. - - :param role: not provided. - :type role: str | unicode - :param jwt: Signed JSON Web Token (JWT). - :type jwt: str | unicode - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :return: The response of the jwt_login request. - :rtype: requests.Response - """ - params = { - "role": role, - "jwt": jwt, - } - api_path = utils.format_url( - "/v1/auth/{path}/login", - path=self.resolve_path(path), - ) - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/kubernetes.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/kubernetes.py deleted file mode 100644 index 26e99b4..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/kubernetes.py +++ /dev/null @@ -1,308 +0,0 @@ -#!/usr/bin/env python -"""Kubernetes methods module.""" -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.utils import ( - validate_list_of_strings_param, - comma_delimited_to_list, - validate_pem_format, -) - -DEFAULT_MOUNT_POINT = "kubernetes" - - -class Kubernetes(VaultApiBase): - """Kubernetes Auth Method (API). - - Reference: https://www.vaultproject.io/api/auth/kubernetes/index.html - """ - - def configure( - self, - kubernetes_host, - kubernetes_ca_cert=None, - token_reviewer_jwt=None, - pem_keys=None, - issuer=None, - mount_point=DEFAULT_MOUNT_POINT, - disable_local_ca_jwt=False, - ): - """Configure the connection parameters for Kubernetes. - - This path honors the distinction between the create and update capabilities inside ACL policies. - - Supported methods: - POST: /auth/{mount_point}/config. Produces: 204 (empty body) - - :param kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the - Kubernetes API server. Example: https://k8s.example.com:443 - :type kubernetes_host: str | unicode - :param kubernetes_ca_cert: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. - NOTE: Every line must end with a newline: \n - :type kubernetes_ca_cert: str | unicode - :param token_reviewer_jwt: A service account JWT used to access the TokenReview API to validate other - JWTs during login. If not set the JWT used for login will be used to access the API. - :type token_reviewer_jwt: str | unicode - :param pem_keys: Optional list of PEM-formatted public keys or certificates used to verify the signatures of - Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every - installation of Kubernetes exposes these keys. - :type pem_keys: list - :param issuer: Optional JWT issuer. - :type token_reviewer_jwt: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param disable_local_ca_jwt: Disable defaulting to the local CA cert and service account JWT - :type disable_local_ca_jwt: bool - :return: The response of the configure_method request. - :rtype: requests.Response - """ - list_of_pem_params = { - "kubernetes_ca_cert": kubernetes_ca_cert, - "pem_keys": pem_keys, - } - for param_name, param_argument in list_of_pem_params.items(): - if param_argument is not None: - validate_pem_format( - param_name=param_name, - param_argument=param_argument, - ) - - params = { - "kubernetes_host": kubernetes_host, - "disable_local_ca_jwt": disable_local_ca_jwt, - } - params.update( - utils.remove_nones( - { - "kubernetes_ca_cert": kubernetes_ca_cert, - "token_reviewer_jwt": token_reviewer_jwt, - "pem_keys": pem_keys, - "issuer": issuer, - } - ) - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Return the previously configured config, including credentials. - - Supported methods: - GET: /auth/{mount_point}/config. Produces: 200 application/json - - :param mount_point: The "path" the kubernetes auth method was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def create_role( - self, - name, - bound_service_account_names, - bound_service_account_namespaces, - ttl=None, - max_ttl=None, - period=None, - policies=None, - token_type="", - mount_point=DEFAULT_MOUNT_POINT, - alias_name_source=None, - ): - """Create a role in the method. - - Registers a role in the auth method. Role types have specific entities that can perform login operations - against this endpoint. Constraints specific to the role type must be set on the role. These are applied to - the authenticated entities attempting to login. - - Supported methods: - POST: /auth/{mount_point}/role/{name}. Produces: 204 (empty body) - - :param name: Name of the role. - :type name: str | unicode - :param bound_service_account_names: List of service account names able to access this role. If set to "*" - all names are allowed. - :type bound_service_account_names: list | str | unicode - :param bound_service_account_namespaces: List of namespaces allowed to access this role. If set to "*" all - namespaces are allowed. - :type bound_service_account_namespaces: list | str | unicode - :param ttl: The TTL period of tokens issued using this role in seconds. - :type ttl: str | unicode - :param max_ttl: The maximum allowed lifetime of tokens issued in seconds using this role. - :type max_ttl: str | unicode - :param period: If set, indicates that the token generated using this role should never expire. The token should - be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the - value of this parameter. - :type period: str | unicode - :param policies: Policies to be set on tokens issued using this role. - :type policies: list | str | unicode - :param token_type: The type of token that should be generated. Can be service, batch, or default to use the - mount's tuned default (which unless changed will be service tokens). For token store roles, there are two - additional possibilities: default-service and default-batch which specify the type to return unless the - client requests a different type at generation time. - :type token_type: str - :param mount_point: The "path" the kubernetes auth method was mounted on. - :type mount_point: str | unicode - :param alias_name_source: Configures how identity aliases are generated. - Valid choices are: serviceaccount_uid, serviceaccount_name. - :type alias_name_source: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - list_of_strings_params = { - "bound_service_account_names": bound_service_account_names, - "bound_service_account_namespaces": bound_service_account_namespaces, - "policies": policies, - } - for param_name, param_argument in list_of_strings_params.items(): - validate_list_of_strings_param( - param_name=param_name, - param_argument=param_argument, - ) - - params = { - "bound_service_account_names": comma_delimited_to_list( - bound_service_account_names - ), - "bound_service_account_namespaces": comma_delimited_to_list( - bound_service_account_namespaces - ), - } - if alias_name_source is not None: - params["alias_name_source"] = alias_name_source - - params.update( - utils.remove_nones( - { - "ttl": ttl, - "max_ttl": max_ttl, - "period": period, - } - ) - ) - if policies is not None: - params["policies"] = comma_delimited_to_list(policies) - - if token_type: - params["token_type"] = token_type - - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}", mount_point=mount_point, name=name - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Returns the previously registered role configuration. - - Supported methods: - POST: /auth/{mount_point}/role/{name}. Produces: 200 application/json - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the kubernetes auth method was mounted on. - :type mount_point: str | unicode - :return: The "data" key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}", - mount_point=mount_point, - name=name, - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """List all the roles that are registered with the plugin. - - Supported methods: - LIST: /auth/{mount_point}/role. Produces: 200 application/json - - :param mount_point: The "path" the kubernetes auth method was mounted on. - :type mount_point: str | unicode - :return: The "data" key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - return response.get("data") - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete the previously registered role. - - Supported methods: - DELETE: /auth/{mount_point}/role/{name}. Produces: 204 (empty body) - - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the kubernetes auth method was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/role/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def login(self, role, jwt, use_token=True, mount_point=DEFAULT_MOUNT_POINT): - """Fetch a token. - - This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature - to authenticate that entity and then authorizes the entity for the given role. - - Supported methods: - POST: /auth/{mount_point}/login. Produces: 200 application/json - - :param role: Name of the role against which the login is being attempted. - :type role: str | unicode - :param jwt: Signed JSON Web Token (JWT) from Kubernetes service account. - :type jwt: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The "path" the kubernetes auth method was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "role": role, - "jwt": jwt, - } - - api_path = utils.format_url( - "/v1/auth/{mount_point}/login", mount_point=mount_point - ) - response = self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) - return response diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/ldap.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/ldap.py deleted file mode 100644 index 8faeaa9..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/ldap.py +++ /dev/null @@ -1,541 +0,0 @@ -#!/usr/bin/env python -"""LDAP methods module.""" -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "ldap" - - -class Ldap(VaultApiBase): - """LDAP Auth Method (API). - - Reference: https://www.vaultproject.io/api/auth/ldap/index.html - """ - - @utils.aliased_parameter( - "userdn", "user_dn", removed_in_version="3.0.0", position=1 - ) - @utils.aliased_parameter( - "groupdn", "group_dn", removed_in_version="3.0.0", position=2 - ) - @utils.aliased_parameter( - "binddn", "bind_dn", removed_in_version="3.0.0", position=10 - ) - @utils.aliased_parameter( - "bindpass", "bind_pass", removed_in_version="3.0.0", position=11 - ) - @utils.aliased_parameter( - "userattr", "user_attr", removed_in_version="3.0.0", position=12 - ) - @utils.aliased_parameter( - "discoverdn", "discover_dn", removed_in_version="3.0.0", position=13 - ) - @utils.aliased_parameter( - "upndomain", "upn_domain", removed_in_version="3.0.0", position=15 - ) - @utils.aliased_parameter( - "groupfilter", "group_filter", removed_in_version="3.0.0", position=16 - ) - @utils.aliased_parameter( - "groupattr", "group_attr", removed_in_version="3.0.0", position=17 - ) - def configure( - self, - userdn=None, - groupdn=None, - url=None, - case_sensitive_names=None, - starttls=None, - tls_min_version=None, - tls_max_version=None, - insecure_tls=None, - certificate=None, - binddn=None, - bindpass=None, - userattr=None, - discoverdn=None, - deny_null_bind=True, - upndomain=None, - groupfilter=None, - groupattr=None, - use_token_groups=None, - token_ttl=None, - token_max_ttl=None, - mount_point=DEFAULT_MOUNT_POINT, - *, - anonymous_group_search=None, - client_tls_cert=None, - client_tls_key=None, - connection_timeout=None, - dereference_aliases=None, - max_page_size=None, - request_timeout=None, - token_bound_cidrs=None, - token_explicit_max_ttl=None, - token_no_default_policy=None, - token_num_uses=None, - token_period=None, - token_policies=None, - token_type=None, - userfilter=None, - username_as_alias=None, - ): - """ - Configure the LDAP auth method. - - Supported methods: - POST: /auth/{mount_point}/config. Produces: 204 (empty body) - - :param anonymous_group_search: Use anonymous binds when performing LDAP group searches (note: even when true, - the initial credentials will still be used for the initial connection test). - :type anonymous_group_search: bool - :param client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded. - :type client_tls_cert: str | unicode - :param client_tls_key: Client certificate key to provide to the LDAP server, must be x509 PEM encoded. - :type client_tls_key: str | unicode - :param connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying the - next URL in the configuration. - :type connection_timeout: int - :param dereference_aliases: When aliases should be dereferenced on search operations. - Accepted values are 'never', 'finding', 'searching', 'always'. - :type dereference_aliases: str | unicode - :param max_page_size: If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search - control to request pages of up to the given size. - :type max_page_size: int - :param request_timeout: Timeout, in seconds, for the connection when making requests against the server before - returning back an error. - :type request_timeout: str | unicode - :param token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate - successfully, and ties the resulting token to these blocks as well. - :type token_bound_cidrs: list - :param token_explicit_max_ttl: If set, will encode an explicit max TTL onto the token. This is a hard cap even - if token_ttl and token_max_ttl would otherwise allow a renewal. - :type token_explicit_max_ttl: str | unicode - :param token_no_default_policy: If set, the default policy will not be set on generated tokens; otherwise it - will be added to the policies set in token_policies. - :type token_no_default_policy: bool - :param token_num_uses: The maximum number of times a generated token may be used (within its lifetime); 0 means - unlimited. - :type token_num_uses: int - :param token_period: The maximum allowed period value when a periodic token is requested from this role. - :type token_period: str | unicode - :param token_policies: List of token policies to encode onto generated tokens. - :type token_policies: list - :param token_type: The type of token that should be generated. - :type token_type: str | unicode - :param userfilter: An optional LDAP user search filter. - :type userfilter: str | unicode - :param username_as_alias: If set to true, forces the auth method to use the username passed by the user as the - alias name. - :type username_as_alias: bool - :param userdn: Base DN under which to perform user search. Example: ou=Users,dc=example,dc=com - :type userdn: str | unicode - :param user_dn: Alias for userdn. This alias will be removed in v3.0.0. - :type user_dn: str | unicode - :param groupdn: LDAP search base to use for group membership search. This can be the root containing either - groups or users. Example: ou=Groups,dc=example,dc=com - :type groupdn: str | unicode - :param group_dn: Alias for groupdn. This alias will be removed in v3.0.0. - :type group_dn: str | unicode - :param url: The LDAP server to connect to. Examples: ldap://ldap.myorg.com, ldaps://ldap.myorg.com:636. - Multiple URLs can be specified with commas, e.g. ldap://ldap.myorg.com,ldap://ldap2.myorg.com; these will be - tried in-order. - :type url: str | unicode - :param case_sensitive_names: If set, user and group names assigned to policies within the backend will be case - sensitive. Otherwise, names will be normalized to lower case. Case will still be preserved when sending the - username to the LDAP server at login time; this is only for matching local user/group definitions. - :type case_sensitive_names: bool - :param starttls: If true, issues a StartTLS command after establishing an unencrypted connection. - :type starttls: bool - :param tls_min_version: Minimum TLS version to use. Accepted values are tls10, tls11 or tls12. - :type tls_min_version: str | unicode - :param tls_max_version: Maximum TLS version to use. Accepted values are tls10, tls11 or tls12. - :type tls_max_version: str | unicode - :param insecure_tls: If true, skips LDAP server SSL certificate verification - insecure, use with caution! - :type insecure_tls: bool - :param certificate: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. - :type certificate: str | unicode - :param binddn: Distinguished name of object to bind when performing user search. Example: - cn=vault,ou=Users,dc=example,dc=com - :type binddn: str | unicode - :param bind_dn: Alias for binddn. This alias will be removed in v3.0.0. - :type bind_dn: str | unicode - :param bindpass: Password to use along with binddn when performing user search. - :type bindpass: str | unicode - :param bind_pass: Alias for bindpass. This alias will be removed in v3.0.0. - :type bind_pass: str | unicode - :param userattr: Attribute on user attribute object matching the username passed when authenticating. Examples: - sAMAccountName, cn, uid - :type userattr: str | unicode - :param user_attr: Alias for userattr. This alias will be removed in v3.0.0. - :type user_attr: str | unicode - :param discoverdn: Use anonymous bind to discover the bind DN of a user. - :type discoverdn: bool - :param discover_dn: Alias for discoverdn. This alias will be removed in v3.0.0. - :type discover_dn: bool - :param deny_null_bind: This option prevents users from bypassing authentication when providing an empty password. - :type deny_null_bind: bool - :param upndomain: The userPrincipalDomain used to construct the UPN string for the authenticating user. The - constructed UPN will appear as [username]@UPNDomain. Example: example.com, which will cause vault to bind as - username@example.com. - :type upndomain: str | unicode - :param upn_domain: Alias for upndomain. This alias will be removed in v3.0.0. - :type upn_domain: str | unicode - :param groupfilter: Go template used when constructing the group membership query. The template can access the - following context variables: [UserDN, Username]. The default is - `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`, which is compatible with several - common directory schemas. To support nested group resolution for Active Directory, instead use the following - query: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})). - :type groupfilter: str | unicode - :param group_filter: Alias for groupfilter. This alias will be removed in v3.0.0. - :type group_filter: str | unicode - :param groupattr: LDAP attribute to follow on objects returned by groupfilter in order to enumerate user group - membership. Examples: for groupfilter queries returning group objects, use: cn. For queries returning user - objects, use: memberOf. The default is cn. - :type groupattr: str | unicode - :param group_attr: Alias for groupattr. This alias will be removed in v3.0.0. - :type group_attr: str | unicode - :param use_token_groups: If true, groups are resolved through Active Directory tokens. This may speed up nested - group membership resolution in large directories. - :type use_token_groups: bool - :param token_ttl: The incremental lifetime for generated tokens. - :type token_ttl: str | unicode - :param token_max_ttl: The maximum lifetime for generated tokens. - :type token_max_ttl: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the configure request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "url": url, - "anonymous_group_search": anonymous_group_search, - "binddn": binddn, - "bindpass": bindpass, - "case_sensitive_names": case_sensitive_names, - "certificate": certificate, - "client_tls_cert": client_tls_cert, - "client_tls_key": client_tls_key, - "connection_timeout": connection_timeout, - "deny_null_bind": deny_null_bind, - "dereference_aliases": dereference_aliases, - "discoverdn": discoverdn, - "groupattr": groupattr, - "groupdn": groupdn, - "groupfilter": groupfilter, - "insecure_tls": insecure_tls, - "max_page_size": max_page_size, - "request_timeout": request_timeout, - "starttls": starttls, - "tls_max_version": tls_max_version, - "tls_min_version": tls_min_version, - "token_bound_cidrs": token_bound_cidrs, - "token_explicit_max_ttl": token_explicit_max_ttl, - "token_max_ttl": token_max_ttl, - "token_no_default_policy": token_no_default_policy, - "token_num_uses": token_num_uses, - "token_period": token_period, - "token_policies": token_policies, - "token_ttl": token_ttl, - "token_type": token_type, - "upndomain": upndomain, - "use_token_groups": use_token_groups, - "userattr": userattr, - "userdn": userdn, - "userfilter": userfilter, - "username_as_alias": username_as_alias, - } - ) - - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_configuration(self, mount_point=DEFAULT_MOUNT_POINT): - """ - Retrieve the LDAP configuration for the auth method. - - Supported methods: - GET: /auth/{mount_point}/config. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_configuration request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.get( - url=api_path, - ) - - def create_or_update_group( - self, name, policies=None, mount_point=DEFAULT_MOUNT_POINT - ): - """ - Create or update LDAP group policies. - - Supported methods: - POST: /auth/{mount_point}/groups/{name}. Produces: 204 (empty body) - - - :param name: The name of the LDAP group - :type name: str | unicode - :param policies: List of policies associated with the group. This parameter is transformed to a comma-delimited - string before being passed to Vault. - :type policies: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the create_or_update_group request. - :rtype: requests.Response - """ - if policies is not None and not isinstance(policies, list): - error_msg = '"policies" argument must be an instance of list or None, "{policies_type}" provided.'.format( - policies_type=type(policies), - ) - raise exceptions.ParamValidationError(error_msg) - - params = {} - if policies is not None: - params["policies"] = ",".join(policies) - api_path = utils.format_url( - "/v1/auth/{mount_point}/groups/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def list_groups(self, mount_point=DEFAULT_MOUNT_POINT): - """ - List existing LDAP existing groups that have been created in this auth method. - - Supported methods: - LIST: /auth/{mount_point}/groups. Produces: 200 application/json - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the list_groups request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/groups", mount_point=mount_point - ) - return self._adapter.list( - url=api_path, - ) - - def read_group(self, name, mount_point=DEFAULT_MOUNT_POINT): - """ - Read policies associated with a LDAP group. - - Supported methods: - GET: /auth/{mount_point}/groups/{name}. Produces: 200 application/json - - - :param name: The name of the LDAP group - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_group request. - :rtype: dict - """ - params = { - "name": name, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/groups/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - json=params, - ) - - def delete_group(self, name, mount_point=DEFAULT_MOUNT_POINT): - """ - Delete a LDAP group and policy association. - - Supported methods: - DELETE: /auth/{mount_point}/groups/{name}. Produces: 204 (empty body) - - - :param name: The name of the LDAP group - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_group request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/groups/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def create_or_update_user( - self, username, policies=None, groups=None, mount_point=DEFAULT_MOUNT_POINT - ): - """ - Create or update LDAP users policies and group associations. - - Supported methods: - POST: /auth/{mount_point}/users/{username}. Produces: 204 (empty body) - - - :param username: The username of the LDAP user - :type username: str | unicode - :param policies: List of policies associated with the user. This parameter is transformed to a comma-delimited - string before being passed to Vault. - :type policies: str | unicode - :param groups: List of groups associated with the user. This parameter is transformed to a comma-delimited - string before being passed to Vault. - :type groups: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the create_or_update_user request. - :rtype: requests.Response - """ - list_required_params = { - "policies": policies, - "groups": groups, - } - for param_name, param_arg in list_required_params.items(): - if param_arg is not None and not isinstance(param_arg, list): - error_msg = '"{param_name}" argument must be an instance of list or None, "{param_type}" provided.'.format( - param_name=param_name, - param_type=type(param_arg), - ) - raise exceptions.ParamValidationError(error_msg) - - params = {} - if policies is not None: - params["policies"] = ",".join(policies) - if groups is not None: - params["groups"] = ",".join(groups) - api_path = utils.format_url( - "/v1/auth/{mount_point}/users/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def list_users(self, mount_point=DEFAULT_MOUNT_POINT): - """ - List existing users in the method. - - Supported methods: - LIST: /auth/{mount_point}/users. Produces: 200 application/json - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the list_users request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/users", mount_point=mount_point - ) - return self._adapter.list( - url=api_path, - ) - - def read_user(self, username, mount_point=DEFAULT_MOUNT_POINT): - """ - Read policies associated with a LDAP user. - - Supported methods: - GET: /auth/{mount_point}/users/{username}. Produces: 200 application/json - - - :param username: The username of the LDAP user - :type username: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_user request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/users/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.get( - url=api_path, - ) - - def delete_user(self, username, mount_point=DEFAULT_MOUNT_POINT): - """ - Delete a LDAP user and policy association. - - Supported methods: - DELETE: /auth/{mount_point}/users/{username}. Produces: 204 (empty body) - - - :param username: The username of the LDAP user - :type username: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_user request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/users/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.delete( - url=api_path, - ) - - def login( - self, username, password, use_token=True, mount_point=DEFAULT_MOUNT_POINT - ): - """ - Log in with LDAP credentials. - - Supported methods: - POST: /auth/{mount_point}/login/{username}. Produces: 200 application/json - - - :param username: The username of the LDAP user - :type username: str | unicode - :param password: The password for the LDAP user - :type password: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the login_with_user request. - :rtype: requests.Response - """ - params = { - "password": password, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/login/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/legacy_mfa.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/legacy_mfa.py deleted file mode 100644 index ce4b4ed..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/legacy_mfa.py +++ /dev/null @@ -1,172 +0,0 @@ -#!/usr/bin/env python -"""Legacy multi-factor authentication methods module.""" -from hvac.api.vault_api_base import VaultApiBase -from hvac import exceptions, utils - -SUPPORTED_MFA_TYPES = [ - "duo", -] -SUPPORTED_AUTH_METHODS = ["ldap", "okta", "radius", "userpass"] - - -class LegacyMfa(VaultApiBase): - """Multi-factor authentication Auth Method (API). - - .. warning:: - This class's methods correspond to a legacy / unsupported set of Vault API routes. Please see the reference link - for additional context. - - Reference: https://developer.hashicorp.com/vault/docs/v1.10.x/auth/mfa - """ - - def configure(self, mount_point, mfa_type="duo", force=False): - """Configure MFA for a supported method. - - This endpoint allows you to turn on multi-factor authentication with a given backend. - Currently only Duo is supported. - - Supported methods: - POST: /auth/{mount_point}/mfa_config. Produces: 204 (empty body) - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param mfa_type: Enables MFA with given backend (available: duo) - :type mfa_type: str | unicode - :param force: If `True`, make the `mfa_config` request regardless of circumstance. If `False` (the default), verify - the provided `mount_point` is available and one of the types of methods supported by this feature. - :type force: bool - :return: The response of the configure MFA request. - :rtype: requests.Response - """ - if mfa_type != "duo" and not force: - # The situation described via this exception is not likely to change in the future. - # However we provided that flexibility here just in case. - error_msg = 'Unsupported mfa_type argument provided "{arg}", supported types: "{mfa_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - mfa_types=",".join(SUPPORTED_MFA_TYPES), - arg=mfa_type, - ) - ) - params = { - "type": mfa_type, - } - - api_path = utils.format_url( - "/v1/auth/{mount_point}/mfa_config", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_configuration(self, mount_point): - """Read the MFA configuration. - - Supported methods: - GET: /auth/{mount_point}/mfa_config. Produces: 200 application/json - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_configuration request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/mfa_config", - mount_point=mount_point, - ) - return self._adapter.get(url=api_path) - - def configure_duo_access(self, mount_point, host, integration_key, secret_key): - """Configure the access keys and host for Duo API connections. - - To authenticate users with Duo, the backend needs to know what host to connect to and must authenticate with an - integration key and secret key. This endpoint is used to configure that information. - - Supported methods: - POST: /auth/{mount_point}/duo/access. Produces: 204 (empty body) - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param host: Duo API host - :type host: str | unicode - :param integration_key: Duo integration key - :type integration_key: str | unicode - :param secret_key: Duo secret key - :type secret_key: str | unicode - :return: The response of the `configure_duo_access` request. - :rtype: requests.Response - """ - params = { - "host": host, - "ikey": integration_key, - "skey": secret_key, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/duo/access", - mount_point=mount_point, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def configure_duo_behavior( - self, mount_point, push_info=None, user_agent=None, username_format="%s" - ): - """Configure Duo second factor behavior. - - This endpoint allows you to configure how the original auth method username maps to the Duo username by - providing a template format string. - - Supported methods: - POST: /auth/{mount_point}/duo/config. Produces: 204 (empty body) - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param push_info: A string of URL-encoded key/value pairs that provides additional context about the - authentication attempt in the Duo Mobile app - :type push_info: str | unicode - :param user_agent: User agent to connect to Duo (default is empty string `""`) - :type user_agent: str | unicode - :param username_format: Format string given auth method username as argument to create Duo username - (default `%s`) - :type username_format: str | unicode - :return: The response of the `configure_duo_behavior` request. - :rtype: requests.Response - """ - params = { - "username_format": username_format, - } - if push_info is not None: - params["push_info"] = push_info - if user_agent is not None: - params["user_agent"] = user_agent - api_path = utils.format_url( - "/v1/auth/{mount_point}/duo/config", - mount_point=mount_point, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_duo_behavior_configuration(self, mount_point): - """Read the Duo second factor behavior configuration. - - Supported methods: - GET: /auth/{mount_point}/duo/config. Produces: 200 application/json - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the `read_duo_behavior_configuration` request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/duo/config", - mount_point=mount_point, - ) - return self._adapter.get(url=api_path) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/oidc.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/oidc.py deleted file mode 100644 index bb3f2d6..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/oidc.py +++ /dev/null @@ -1,166 +0,0 @@ -#!/usr/bin/env python -"""JWT/OIDC methods module.""" -from hvac.api.auth_methods.jwt import JWT - - -class OIDC(JWT): - """OIDC auth method which can be used to authenticate with Vault using OIDC. - - The OIDC method allows authentication via a configured OIDC provider using the user's web browser. - This method may be initiated from the Vault UI or the command line. Alternatively, a JWT can be provided directly. - The JWT is cryptographically verified using locally-provided keys, or, if configured, an OIDC Discovery service can - be used to fetch the appropriate keys. The choice of method is configured per role. - - Note: this class is duplicative of the JWT class (as both JWT and OIDC share the same family of Vault API routes). - - Reference: https://www.vaultproject.io/api/auth/jwt - """ - - DEFAULT_PATH = "oidc" - - def create_role( - self, - name, - user_claim, - allowed_redirect_uris, - role_type="oidc", - bound_audiences=None, - clock_skew_leeway=None, - expiration_leeway=None, - not_before_leeway=None, - bound_subject=None, - bound_claims=None, - groups_claim=None, - claim_mappings=None, - oidc_scopes=None, - bound_claims_type="string", - verbose_oidc_logging=False, - token_ttl=None, - token_max_ttl=None, - token_policies=None, - token_bound_cidrs=None, - token_explicit_max_ttl=None, - token_no_default_policy=None, - token_num_uses=None, - token_period=None, - token_type=None, - path=None, - user_claim_json_pointer=None, - ): - """Register a role in the OIDC method. - - Role types have specific entities that can perform login operations against this endpoint. Constraints - specific to the role type must be set on the role. These are applied to the authenticated entities - attempting to login. At least one of the bound values must be set. - - Supported methods: - POST: /auth/{path}/role/:name. - - :param name: Name of the role. - :type name: str | unicode - :param role_type: Type of role, either "oidc" or "jwt" (default). - :type role_type: str | unicode - :param bound_audiences: List of aud claims to match against. Any match is sufficient. - Required for "jwt" roles, optional for "oidc" roles. - :type bound_audiences: list - :param user_claim: The claim to use to uniquely identify the user; this will be used as the name for the - Identity entity alias created due to a successful login. The interpretation of the user claim - is configured with ``user_claim_json_pointer``. If set to ``True``, ``user_claim`` supports JSON pointer syntax - for referencing a claim. The claim value must be a string. - :type user_claim: str | unicode - :param clock_skew_leeway: Only applicable with "jwt" roles. - :type clock_skew_leeway: int - :param expiration_leeway: Only applicable with "jwt" roles. - :type expiration_leeway: int - :param not_before_leeway: Only applicable with "jwt" roles. - :type not_before_leeway: int - :param bound_subject: If set, requires that the sub claim matches this value. - :type bound_subject: str | unicode - :param bound_claims: If set, a dict of claims (keys) to match against respective claim values (values). - The expected value may be a single string or a list of strings. The interpretation of the bound claim - values is configured with bound_claims_type. Keys support JSON pointer syntax for referencing claims. - :type bound_claims: dict - :param groups_claim: The claim to use to uniquely identify the set of groups to which the user belongs; this - will be used as the names for the Identity group aliases created due to a successful login. The claim value - must be a list of strings. Supports JSON pointer syntax for referencing claims. - :type groups_claim: str | unicode - :param claim_mappings: If set, a map of claims (keys) to be copied to specified metadata fields (values). Keys - support JSON pointer syntax for referencing claims. - :type claim_mappings: map - :param oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role. - The standard scope "openid" is automatically included and need not be specified. - :type oidc_scopes: list - :param allowed_redirect_uris: The list of allowed values for redirect_uri - during OIDC logins. - :type allowed_redirect_uris: list - :param bound_claims_type: Configures the interpretation of the bound_claims values. If "string" (the default), - the values will treated as string literals and must match exactly. If set to "glob", the values will be - interpreted as globs, with * matching any number of characters. - :type bound_claims_type: str | unicode - :param verbose_oidc_logging: Log received OIDC tokens and claims when debug-level - logging is active. Not recommended in production since sensitive information may be present - in OIDC responses. - :type verbose_oidc_logging: bool - :param token_ttl: The incremental lifetime for generated tokens. This current value of this will be referenced - at renewal time. - :type token_ttl: int | str - :param token_max_ttl: The maximum lifetime for generated tokens. This current value of this will be referenced - at renewal time. - :type token_max_ttl: int | str - :param token_policies: List of policies to encode onto generated tokens. Depending on the auth method, this - list may be supplemented by user/group/other values. - :type token_policies: list[str] - :param token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate - successfully, and ties the resulting token to these blocks as well. - :type token_bound_cidrs: list[str] - :param token_explicit_max_ttl: If set, will encode an explicit max TTL onto the token. This is a hard cap - even if token_ttl and token_max_ttl would otherwise allow a renewal. - :type token_explicit_max_ttl: int | str - :param token_no_default_policy: If set, the default policy will not be set on generated tokens; otherwise it - will be added to the policies set in token_policies. - :type token_no_default_policy: bool - :param token_num_uses: The maximum number of times a generated token may be used (within its lifetime); 0 means - unlimited. If you require the token to have the ability to create child tokens, you will need to set this - value to 0. - :type token_num_uses: str | unicode - :param token_period: The period, if any, to set on the token. - :type token_period: int | str - :param token_type: The type of token that should be generated. Can be service, batch, or default. - :type token_type: str - :param path: The "path" the method/backend was mounted on. - :type path: str | unicode - :param user_claim_json_pointer: Specifies if the ``user_claim`` value uses JSON pointer syntax for referencing claims. - By default, the ``user_claim`` value will not use JSON pointer. - :type user_claim_json_pointer: bool - :return: The response of the create_role request. - :rtype: dict - """ - - super().create_role( - name=name, - user_claim=user_claim, - allowed_redirect_uris=allowed_redirect_uris, - role_type=role_type, - bound_audiences=bound_audiences, - clock_skew_leeway=clock_skew_leeway, - expiration_leeway=expiration_leeway, - not_before_leeway=not_before_leeway, - bound_subject=bound_subject, - bound_claims=bound_claims, - groups_claim=groups_claim, - claim_mappings=claim_mappings, - oidc_scopes=oidc_scopes, - bound_claims_type=bound_claims_type, - verbose_oidc_logging=verbose_oidc_logging, - token_ttl=token_ttl, - token_max_ttl=token_max_ttl, - token_policies=token_policies, - token_bound_cidrs=token_bound_cidrs, - token_explicit_max_ttl=token_explicit_max_ttl, - token_no_default_policy=token_no_default_policy, - token_num_uses=token_num_uses, - token_period=token_period, - token_type=token_type, - path=path, - user_claim_json_pointer=user_claim_json_pointer, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/okta.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/okta.py deleted file mode 100644 index 3317425..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/okta.py +++ /dev/null @@ -1,332 +0,0 @@ -#!/usr/bin/env python -"""Okta methods module.""" -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "okta" - - -class Okta(VaultApiBase): - """Okta Auth Method (API). - - Reference: https://www.vaultproject.io/api/auth/okta/index.html - """ - - def configure( - self, - org_name, - api_token=None, - base_url=None, - ttl=None, - max_ttl=None, - bypass_okta_mfa=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Configure the connection parameters for Okta. - - This path honors the distinction between the create and update capabilities inside ACL policies. - - Supported methods: - POST: /auth/{mount_point}/config. Produces: 204 (empty body) - - - :param org_name: Name of the organization to be used in the Okta API. - :type org_name: str | unicode - :param api_token: Okta API token. This is required to query Okta for user group membership. If this is not - supplied only locally configured groups will be enabled. - :type api_token: str | unicode - :param base_url: If set, will be used as the base domain for API requests. Examples are okta.com, - oktapreview.com, and okta-emea.com. - :type base_url: str | unicode - :param ttl: Duration after which authentication will be expired. - :type ttl: str | unicode - :param max_ttl: Maximum duration after which authentication will be expired. - :type max_ttl: str | unicode - :param bypass_okta_mfa: Whether to bypass an Okta MFA request. Useful if using one of Vault's built-in MFA - mechanisms, but this will also cause certain other statuses to be ignored, such as PASSWORD_EXPIRED. - :type bypass_okta_mfa: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "org_name": org_name, - } - params.update( - utils.remove_nones( - { - "api_token": api_token, - "base_url": base_url, - "ttl": ttl, - "max_ttl": max_ttl, - "bypass_okta_mfa": bypass_okta_mfa, - } - ) - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Read the Okta configuration. - - Supported methods: - GET: /auth/{mount_point}/config. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.get( - url=api_path, - ) - - def list_users(self, mount_point=DEFAULT_MOUNT_POINT): - """List the users configured in the Okta method. - - Supported methods: - LIST: /auth/{mount_point}/users. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/users", mount_point=mount_point - ) - return self._adapter.list( - url=api_path, - ) - - def register_user( - self, username, groups=None, policies=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Register a new user and maps a set of policies to it. - - Supported methods: - POST: /auth/{mount_point}/users/{username}. Produces: 204 (empty body) - - :param username: Name of the user. - :type username: str | unicode - :param groups: List or comma-separated string of groups associated with the user. - :type groups: list - :param policies: List or comma-separated string of policies associated with the user. - :type policies: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "username": username, - } - params.update( - utils.remove_nones( - { - "groups": groups, - "policies": policies, - } - ) - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/users/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_user(self, username, mount_point=DEFAULT_MOUNT_POINT): - """Read the properties of an existing username. - - Supported methods: - GET: /auth/{mount_point}/users/{username}. Produces: 200 application/json - - :param username: Username for this user. - :type username: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "username": username, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/users/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.get( - url=api_path, - json=params, - ) - - def delete_user(self, username, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing username from the method. - - Supported methods: - DELETE: /auth/{mount_point}/users/{username}. Produces: 204 (empty body) - - :param username: Username for this user. - :type username: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "username": username, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/users/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.delete( - url=api_path, - json=params, - ) - - def list_groups(self, mount_point=DEFAULT_MOUNT_POINT): - """List the groups configured in the Okta method. - - Supported methods: - LIST: /auth/{mount_point}/groups. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/groups", mount_point=mount_point - ) - return self._adapter.list( - url=api_path, - ) - - def register_group(self, name, policies=None, mount_point=DEFAULT_MOUNT_POINT): - """Register a new group and maps a set of policies to it. - - Supported methods: - POST: /auth/{mount_point}/groups/{name}. Produces: 204 (empty body) - - :param name: The name of the group. - :type name: str | unicode - :param policies: The list or comma-separated string of policies associated with the group. - :type policies: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "policies": policies, - } - ) - api_path = utils.format_url( - "/v1/auth/{mount_point}/groups/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_group(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Read the properties of an existing group. - - Supported methods: - GET: /auth/{mount_point}/groups/{name}. Produces: 200 application/json - - :param name: The name for the group. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/groups/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def delete_group(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing group from the method. - - Supported methods: - DELETE: /auth/{mount_point}/groups/{name}. Produces: 204 (empty body) - - :param name: The name for the group. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "name": name, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/groups/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - json=params, - ) - - def login( - self, username, password, use_token=True, mount_point=DEFAULT_MOUNT_POINT - ): - """Login with the username and password. - - Supported methods: - POST: /auth/{mount_point}/login/{username}. Produces: 200 application/json - - :param username: Username for this user. - :type username: str | unicode - :param password: Password for the authenticating user. - :type password: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the login request. - :rtype: dict - """ - params = { - "username": username, - "password": password, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/login/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/radius.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/radius.py deleted file mode 100644 index 291e84f..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/radius.py +++ /dev/null @@ -1,237 +0,0 @@ -#!/usr/bin/env python -"""RADIUS methods module.""" -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "radius" - - -class Radius(VaultApiBase): - """RADIUS Auth Method (API). - - Reference: https://www.vaultproject.io/docs/auth/radius.html - """ - - def configure( - self, - host, - secret, - port=None, - unregistered_user_policies=None, - dial_timeout=None, - nas_port=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """ - Configure the RADIUS auth method. - - Supported methods: - POST: /auth/{mount_point}/config. Produces: 204 (empty body) - - :param host: The RADIUS server to connect to. Examples: radius.myorg.com, 127.0.0.1 - :type host: str | unicode - :param secret: The RADIUS shared secret. - :type secret: str | unicode - :param port: The UDP port where the RADIUS server is listening on. Defaults is 1812. - :type port: int - :param unregistered_user_policies: A comma-separated list of policies to be granted to unregistered users. - :type unregistered_user_policies: list - :param dial_timeout: Number of second to wait for a backend connection before timing out. Default is 10. - :type dial_timeout: int - :param nas_port: The NAS-Port attribute of the RADIUS request. Defaults is 10. - :type nas_port: int - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the configure request. - :rtype: requests.Response - """ - params = { - "host": host, - "secret": secret, - } - params.update( - utils.remove_nones( - { - "port": port, - "dial_timeout": dial_timeout, - "nas_port": nas_port, - } - ) - ) - # Fill out params dictionary with any optional parameters provided - if unregistered_user_policies is not None: - if not isinstance(unregistered_user_policies, list): - error_msg = ( - '"unregistered_user_policies" argument must be an instance of list or None, ' - '"{unregistered_user_policies}" provided.' - ).format(unregistered_user_policies=type(unregistered_user_policies)) - raise exceptions.ParamValidationError(error_msg) - - params["unregistered_user_policies"] = ",".join(unregistered_user_policies) - - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_configuration(self, mount_point=DEFAULT_MOUNT_POINT): - """ - Retrieve the RADIUS configuration for the auth method. - - Supported methods: - GET: /auth/{mount_point}/config. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_configuration request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/config", mount_point=mount_point - ) - return self._adapter.get( - url=api_path, - ) - - def register_user(self, username, policies=None, mount_point=DEFAULT_MOUNT_POINT): - """ - Create or update RADIUS user with a set of policies. - - Supported methods: - POST: /auth/{mount_point}/users/{username}. Produces: 204 (empty body) - - :param username: Username for this RADIUS user. - :type username: str | unicode - :param policies: List of policies associated with the user. This parameter is transformed to a comma-delimited - string before being passed to Vault. - :type policies: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the register_user request. - :rtype: requests.Response - """ - if policies is not None and not isinstance(policies, list): - error_msg = '"policies" argument must be an instance of list or None, "{policies_type}" provided.'.format( - policies_type=type(policies), - ) - raise exceptions.ParamValidationError(error_msg) - - params = {} - if policies is not None: - params["policies"] = ",".join(policies) - api_path = utils.format_url( - "/v1/auth/{mount_point}/users/{name}", - mount_point=mount_point, - name=username, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def list_users(self, mount_point=DEFAULT_MOUNT_POINT): - """ - List existing users in the method. - - Supported methods: - LIST: /auth/{mount_point}/users. Produces: 200 application/json - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the list_users request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/users", mount_point=mount_point - ) - return self._adapter.list( - url=api_path, - ) - - def read_user(self, username, mount_point=DEFAULT_MOUNT_POINT): - """ - Read policies associated with a RADIUS user. - - Supported methods: - GET: /auth/{mount_point}/users/{username}. Produces: 200 application/json - - - :param username: The username of the RADIUS user - :type username: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_user request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/users/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.get( - url=api_path, - ) - - def delete_user(self, username, mount_point=DEFAULT_MOUNT_POINT): - """ - Delete a RADIUS user and policy association. - - Supported methods: - DELETE: /auth/{mount_point}/users/{username}. Produces: 204 (empty body) - - - :param username: The username of the RADIUS user - :type username: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_user request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/auth/{mount_point}/users/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.delete( - url=api_path, - ) - - def login( - self, username, password, use_token=True, mount_point=DEFAULT_MOUNT_POINT - ): - """ - Log in with RADIUS credentials. - - Supported methods: - POST: /auth/{mount_point}/login/{username}. Produces: 200 application/json - - - :param username: The username of the RADIUS user - :type username: str | unicode - :param password: The password for the RADIUS user - :type password: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the login_with_user request. - :rtype: requests.Response - """ - params = { - "password": password, - } - api_path = utils.format_url( - "/v1/auth/{mount_point}/login/{username}", - mount_point=mount_point, - username=username, - ) - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/token.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/token.py deleted file mode 100644 index b0d6a45..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/token.py +++ /dev/null @@ -1,658 +0,0 @@ -#!/usr/bin/env python -"""Token methods module.""" -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "token" - - -class Token(VaultApiBase): - """Token Auth Method (API). - - Reference: http://localhost:3000/api-docs/auth/token - """ - - def create( - self, - id=None, - role_name=None, - policies=None, - meta=None, - no_parent=False, - no_default_policy=False, - renewable=True, - ttl=None, - type=None, - explicit_max_ttl=None, - display_name="token", - num_uses=0, - period=None, - entity_alias=None, - wrap_ttl=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create a new token. - - Certain options are only available when called by a root token. If used - via the /auth/token/create-orphan endpoint, a root token is not required - to create an orphan token (otherwise set with the no_parent option). If - used with a role name in the path, the token will be created against the - specified role name; this may override options set during this call. - - - :param id: The ID of the client token. Can only be specified by a root token. - The ID provided may not contain a `.` character. Otherwise, the - token ID is a randomly generated value. - :type id: str - :param role_name: The name of the token role. - :type role_name: str - :param policies: A list of policies for the token. This must be a - subset of the policies belonging to the token making the request, unless root. - If not specified, defaults to all the policies of the calling token. - :type policies: list - :param meta: A map of string to string valued metadata. This is - passed through to the audit devices. - :type meta: map - :param no_parent: This argument only has effect if used by a root or sudo caller. - When set to `True`, the token created will not have a parent. - :type no_parent: bool - :param no_default_policy: If `True` the default policy will not be contained in this token's policy set. - :type no_default_policy: bool - :param renewable: Set to false to disable the ability of the token to be renewed past its initial TTL. - Setting the value to true will allow the token to be renewable up to the system/mount maximum TTL. - :type renewable: bool - :param ttl: The TTL period of the token, provided as "1h", where hour is the largest suffix. If not provided, - the token is valid for the default lease TTL, or indefinitely if the root policy is used. - :type ttl: str - :param type: The token type. Can be "batch" or "service". Defaults to the type - specified by the role configuration named by role_name. - :type type: str - :param explicit_max_ttl: If set, the token will have an explicit max TTL set upon it. - This maximum token TTL cannot be changed later, and unlike with normal tokens, updates to the system/mount - max TTL value will have no effect at renewal time -- the token will never be able to be renewed or used past - the value set at issue time. - :type explicit_max_ttl: str - :param display_name: The display name of the token. - :type display_name: str - :param num_uses: The maximum uses for the given token. This can be - used to create a one-time-token or limited use token. The value of 0 has no - limit to the number of uses. - :type num_uses: int - :param period: If specified, the token will be periodic; it will have - no maximum TTL (unless an "explicit-max-ttl" is also set) but every renewal - will use the given period. Requires a root token or one with the sudo capability. - :type period: str - :param entity_alias: Name of the entity alias to associate with during token creation. - Only works in combination with role_name argument and used entity alias must be listed in - `allowed_entity_aliases`. If this has been specified, the entity will not be inherited from the parent. - :type entity_alias: str - :param wrap_ttl: Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'. - :type wrap_ttl: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the create request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "id": id, - "policies": policies, - "meta": meta, - "no_parent": no_parent, - "no_default_policy": no_default_policy, - "renewable": renewable, - "ttl": ttl, - "type": type, - "explicit_max_ttl": explicit_max_ttl, - "display_name": display_name, - "num_uses": num_uses, - "period": period, - "entity_alias": entity_alias, - } - ) - - api_path = f"/v1/auth/{mount_point}/create" - - if role_name is not None: - api_path = f"{api_path}/{role_name}" - - return self._adapter.post( - url=api_path, - json=params, - wrap_ttl=wrap_ttl, - ) - - def create_orphan( - self, - id=None, - role_name=None, - policies=None, - meta=None, - no_default_policy=False, - renewable=True, - ttl=None, - type=None, - explicit_max_ttl=None, - display_name="token", - num_uses=0, - period=None, - entity_alias=None, - wrap_ttl=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create a new orphaned token. - - Creates a token via the /auth/token/create-orphan endpoint. A root token - is not required to create an orphan token with this endpoint (otherwise - an orphaned token can be set with the `create` method's `no_parent` option). - - - :param id: The ID of the client token. Can only be specified by a root token. - The ID provided may not contain a `.` character. Otherwise, the - token ID is a randomly generated value. - :type id: str - :param role_name: The name of the token role. - :type role_name: str - :param policies: A list of policies for the token. This must be a - subset of the policies belonging to the token making the request, unless root. - If not specified, defaults to all the policies of the calling token. - :type policies: list - :param meta: A map of string to string valued metadata. This is - passed through to the audit devices. - :type meta: map - :param no_default_policy: If `True` the default policy will not be contained in this token's policy set. - :type no_default_policy: bool - :param renewable: Set to false to disable the ability of the token to be renewed past its initial TTL. - Setting the value to true will allow the token to be renewable up to the system/mount maximum TTL. - :type renewable: bool - :param ttl: The TTL period of the token, provided as `1h`, where hour is the largest suffix. If not provided, - the token is valid for the default lease TTL, or indefinitely if the root policy is used. - :type ttl: str - :param type: The token type. Can be `batch` or `service`. Defaults to the type - specified by the role configuration named by role_name. - :type type: str - :param explicit_max_ttl: If set, the token will have an explicit max TTL set upon it. - This maximum token TTL cannot be changed later, and unlike with normal tokens, updates to the system/mount - max TTL value will have no effect at renewal time -- the token will never be able to be renewed or used past - the value set at issue time. - :type explicit_max_ttl: str - :param display_name: The display name of the token. - :type display_name: str - :param num_uses: The maximum uses for the given token. This can be - used to create a one-time-token or limited use token. The value of `0` has no - limit to the number of uses. - :type num_uses: int - :param period: If specified, the token will be periodic; it will have - no maximum TTL (unless an `explicit-max-ttl` is also set) but every renewal - will use the given period. Requires a root token or one with the sudo capability. - :type period: str - :param entity_alias: Name of the entity alias to associate with during token creation. - Only works in combination with role_name argument and used entity alias must be listed in - `allowed_entity_aliases`. If this has been specified, the entity will not be inherited from the parent. - :type entity_alias: str - :param wrap_ttl: Specifies response wrapping token creation with duration. IE: `15s`, `20m`, `25h`. - :type wrap_ttl: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the create request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "id": id, - "role_name": role_name, - "policies": policies, - "meta": meta, - "no_default_policy": no_default_policy, - "renewable": renewable, - "ttl": ttl, - "type": type, - "explicit_max_ttl": explicit_max_ttl, - "display_name": display_name, - "num_uses": num_uses, - "period": period, - "entity_alias": entity_alias, - } - ) - - api_path = f"/v1/auth/{mount_point}/create-orphan" - return self._adapter.post( - url=api_path, - json=params, - wrap_ttl=wrap_ttl, - ) - - def list_accessors(self, mount_point=DEFAULT_MOUNT_POINT): - """List token accessors. - - This requires sudo capability, and access to it should be tightly controlled - as the accessors can be used to revoke very large numbers of tokens and their associated leases at once. - - Supported methods: - LIST: /auth/{mount_point}/accessors. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the list_accessors request. - :rtype: requests.Response - """ - api_path = f"/v1/auth/{mount_point}/accessors" - return self._adapter.list( - url=api_path, - ) - - def lookup(self, token, mount_point=DEFAULT_MOUNT_POINT): - """Retrieve information about the client token. - - Supported methods: - POST: /auth/{mount_point}/lookup. - - :param token: Token to lookup. - :type token: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the lookup_a request. - :rtype: requests.Response - """ - params = { - "token": token, - } - api_path = f"/v1/auth/{mount_point}/lookup" - return self._adapter.post( - url=api_path, - json=params, - ) - - def lookup_self(self, mount_point=DEFAULT_MOUNT_POINT): - """Retrieve information about the current client token. - - Supported methods: - GET: /auth/{mount_point}/lookup-self. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the lookup_a_self request. - :rtype: requests.Response - """ - api_path = f"/v1/auth/{mount_point}/lookup-self" - return self._adapter.get( - url=api_path, - ) - - def lookup_accessor(self, accessor, mount_point=DEFAULT_MOUNT_POINT): - """Retrieve information about the client token from its accessor. - - Supported methods: - POST: /auth/{mount_point}/lookup-accessor. - - :param accessor: Token accessor to lookup. - :type accessor: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the lookup_accessor request. - :rtype: requests.Response - """ - params = { - "accessor": accessor, - } - api_path = "/v1/auth/{mount_point}/lookup-accessor".format( - mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def renew( - self, token, increment=None, wrap_ttl=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Renew a lease associated with a token. - - This is used to prevent the expiration of a token, and the automatic revocation of it. - Token renewal is possible only if there is a lease associated with it. - - Supported methods: - POST: /auth/{mount_point}/renew. - - :param token: Token to renew. This can be part of the URL or the body. - :type token: str - :param increment: An optional requested lease increment can be provided. - This increment may be ignored. - :type increment: str - :param wrap_ttl: Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'. - :type wrap_ttl: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the renew_a request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "token": token, - "increment": increment, - } - ) - api_path = f"/v1/auth/{mount_point}/renew" - return self._adapter.post( - url=api_path, - json=params, - wrap_ttl=wrap_ttl, - ) - - def renew_self( - self, increment=None, wrap_ttl=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Renew a lease associated with the calling token. - - This is used to prevent the expiration of a token, and the automatic revocation of it. - Token renewal is possible only if there is a lease associated with it. - - Supported methods: - POST: /auth/{mount_point}/renew-self. - - :param increment: An optional requested lease increment can be - provided. This increment may be ignored. - :type increment: str - :param wrap_ttl: Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'. - :type wrap_ttl: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the renew_a_self request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "increment": increment, - } - ) - api_path = f"/v1/auth/{mount_point}/renew-self" - return self._adapter.post( - url=api_path, - json=params, - wrap_ttl=wrap_ttl, - ) - - def renew_accessor( - self, accessor, increment=None, wrap_ttl=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Renew a lease associated with a token using its accessor. - - This is used to prevent the expiration of a token, and the automatic revocation of it. - Token renewal is possible only if there is a lease associated with it. - - Supported methods: - POST: /auth/{mount_point}/renew-accessor. - - :param accessor: Accessor associated with the token to - renew. - :type accessor: str - :param increment: An optional requested lease increment can be - provided. This increment may be ignored. - :type increment: str - :param wrap_ttl: Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'. - :type wrap_ttl: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the renew_a_accessor request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "accessor": accessor, - "increment": increment, - } - ) - api_path = "/v1/auth/{mount_point}/renew-accessor".format( - mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - wrap_ttl=wrap_ttl, - ) - - def revoke(self, token, mount_point=DEFAULT_MOUNT_POINT): - """Revoke a token and all child tokens. - - When the token is revoked, all dynamic secrets generated with it are also revoked. - - Supported methods: - POST: /auth/{mount_point}/revoke. - - :param token: Token to revoke. - :type token: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the revoke_a request. - :rtype: requests.Response - """ - params = { - "token": token, - } - api_path = f"/v1/auth/{mount_point}/revoke" - return self._adapter.post( - url=api_path, - json=params, - ) - - def revoke_self(self, mount_point=DEFAULT_MOUNT_POINT): - """Revoke the token used to call it and all child tokens. - - When the token is revoked, all dynamic secrets generated with it are also revoked. - - Supported methods: - POST: /auth/{mount_point}/revoke-self. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the revoke_a_self request. - :rtype: requests.Response - """ - api_path = f"/v1/auth/{mount_point}/revoke-self" - return self._adapter.post(url=api_path) - - def revoke_accessor(self, accessor, mount_point=DEFAULT_MOUNT_POINT): - """Revoke the token associated with the accessor and all the child tokens. - - This is meant for purposes where there is no access to token ID but there is need to - revoke a token and its children. - - Supported methods: - POST: /auth/{mount_point}/revoke-accessor. - - :param accessor: Accessor of the token. - :type accessor: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the revoke_a_accessor request. - :rtype: requests.Response - """ - params = { - "accessor": accessor, - } - api_path = "/v1/auth/{mount_point}/revoke-accessor".format( - mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def revoke_and_orphan_children(self, token, mount_point=DEFAULT_MOUNT_POINT): - """Revoke a token but not its child tokens. - - When the token is revoked, all secrets generated with it are also revoked. - All child tokens are orphaned, but can be revoked sub-sequently using /auth/token/revoke/. - This is a root-protected endpoint. - - Supported methods: - POST: /auth/{mount_point}/revoke-orphan. - - :param token: Token to revoke. - :type token: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the revoke_and_orphan_children request. - :rtype: requests.Response - """ - params = { - "token": token, - } - api_path = "/v1/auth/{mount_point}/revoke-orphan".format( - mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, role_name, mount_point=DEFAULT_MOUNT_POINT): - """Read the named role configuration. - - Supported methods: - GET: /auth/{mount_point}/roles/{role_name}. - - :param role_name: The name of the token role. - :type role_name: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the read_role request. - :rtype: requests.Response - """ - api_path = "/v1/auth/{mount_point}/roles/{role_name}".format( - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_roles( - self, - mount_point=DEFAULT_MOUNT_POINT, - ): - """List available token roles. - - Supported methods: - LIST: /auth/{mount_point}/roles. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the list_roles request. - :rtype: requests.Response - """ - api_path = f"/v1/auth/{mount_point}/roles" - return self._adapter.list( - url=api_path, - ) - - def create_or_update_role( - self, - role_name, - allowed_policies=None, - disallowed_policies=None, - orphan=False, - renewable=True, - path_suffix=None, - allowed_entity_aliases=None, - mount_point=DEFAULT_MOUNT_POINT, - token_period=None, - token_explicit_max_ttl=None, - ): - """Create (or replace) the named role. - - Roles enforce specific behavior when creating tokens that allow token functionality that is otherwise not - available or would require sudo/root privileges to access. Role parameters, when set, override any provided - options to the create endpoints. The role name is also included in the token path, allowing all tokens created - against a role to be revoked using the `/sys/leases/revoke-prefix` endpoint. - - Supported methods: - POST: /auth/{mount_point}/roles/{role_name}. - - :param role_name: The name of the token role. - :type role_name: str - :param allowed_policies: will be added to the created - token automatically. - :type allowed_policies: list - :param disallowed_policies: being added automatically to created - tokens. - :type disallowed_policies: list - :param orphan: tokens created against this policy will - be orphan tokens (they will have no parent). As such, they will not be - automatically revoked by the revocation of any other token. - :type orphan: bool - :param renewable: allow - the token to be renewable up to the system/mount maximum TTL. - :type renewable: bool - :param path_suffix: - :type path_suffix: str - :param allowed_entity_aliases: not case sensitive. - :type allowed_entity_aliases: str - :param token_period: the token will have no maximum TTL, every renewal will use the given period. - :type token_period: str - :param token_explicit_max_ttl: the token cannot be renewed past this TTL value. - :type token_explicit_max_ttl: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the create_or_update_role request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "allowed_policies": allowed_policies, - "disallowed_policies": disallowed_policies, - "orphan": orphan, - "renewable": renewable, - "path_suffix": path_suffix, - "allowed_entity_aliases": allowed_entity_aliases, - "token_period": token_period, - "token_explicit_max_ttl": token_explicit_max_ttl, - } - ) - api_path = "/v1/auth/{mount_point}/roles/{role_name}".format( - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def delete_role(self, role_name, mount_point=DEFAULT_MOUNT_POINT): - """Delete the named token role. - - Supported methods: - DELETE: /auth/{mount_point}/roles/{role_name}. - - :param role_name: The name of the token role. - :type role_name: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the delete_role request. - :rtype: requests.Response - """ - api_path = "/v1/auth/{mount_point}/roles/{role_name}".format( - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.delete( - url=api_path, - ) - - def tidy(self, mount_point=DEFAULT_MOUNT_POINT): - """Perform some maintenance tasks to clean up invalid entries that may remain in the token store. - - On Enterprise, Tidy will only impact the tokens in the specified namespace, or the root namespace if unspecified. - - Supported methods: - POST: /auth/{mount_point}/tidy. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the tidy_s request. - :rtype: requests.Response - """ - api_path = f"/v1/auth/{mount_point}/tidy" - return self._adapter.post( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/userpass.py b/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/userpass.py deleted file mode 100644 index bbfb445..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/auth_methods/userpass.py +++ /dev/null @@ -1,167 +0,0 @@ -#!/usr/bin/env python -"""USERPASS methods module.""" -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "userpass" - - -class Userpass(VaultApiBase): - """USERPASS Auth Method (API). - Reference: https://www.vaultproject.io/api/auth/userpass/index.html - """ - - def create_or_update_user( - self, - username, - password=None, - policies=None, - mount_point=DEFAULT_MOUNT_POINT, - **kwargs, - ): - """ - Create/update user in userpass. - - Supported methods: - POST: /auth/{mount_point}/users/{username}. Produces: 204 (empty body) - - :param username: The username for the user. - :type username: str | unicode - :param password: The password for the user. Only required when creating the user. - :type password: str | unicode - :param policies: The list of policies to be set on username created. - :type policies: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param kwargs: Additional arguments to pass along with the corresponding request to Vault. - :type kwargs: dict - """ - params = utils.remove_nones( - { - "password": password, - "policies": policies, - } - ) - params.update(kwargs) - - api_path = "/v1/auth/{mount_point}/users/{username}".format( - mount_point=mount_point, username=username - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def list_user(self, mount_point=DEFAULT_MOUNT_POINT): - """ - List existing users that have been created in the auth method - - Supported methods: - LIST: /auth/{mount_point}/users. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the list_groups request. - :rtype: dict - """ - api_path = f"/v1/auth/{mount_point}/users" - return self._adapter.list( - url=api_path, - ) - - def read_user(self, username, mount_point=DEFAULT_MOUNT_POINT): - """ - Read user in the auth method. - - Supported methods: - GET: /auth/{mount_point}/users/{username}. Produces: 200 application/json - - :param username: The username for the user. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_group request. - :rtype: dict - """ - api_path = "/v1/auth/{mount_point}/users/{username}".format( - mount_point=mount_point, username=username - ) - return self._adapter.get( - url=api_path, - ) - - def delete_user(self, username, mount_point=DEFAULT_MOUNT_POINT): - """ - Delete user in the auth method. - - Supported methods: - GET: /auth/{mount_point}/users/{username}. Produces: 200 application/json - - :param username: The username for the user. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_group request. - :rtype: dict - """ - api_path = "/v1/auth/{mount_point}/users/{username}".format( - mount_point=mount_point, username=username - ) - return self._adapter.delete( - url=api_path, - ) - - def update_password_on_user( - self, username, password, mount_point=DEFAULT_MOUNT_POINT - ): - """ - update password for the user in userpass. - - Supported methods: - POST: /auth/{mount_point}/users/{username}/password. Produces: 204 (empty body) - - :param username: The username for the user. - :type username: str | unicode - :param password: The password for the user. Only required when creating the user. - :type password: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - """ - params = { - "password": password, - } - api_path = "/v1/auth/{mount_point}/users/{username}/password".format( - mount_point=mount_point, username=username - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def login( - self, username, password, use_token=True, mount_point=DEFAULT_MOUNT_POINT - ): - """ - Log in with USERPASS credentials. - - Supported methods: - POST: /auth/{mount_point}/login/{username}. Produces: 200 application/json - - :param username: The username for the user. - :type username: str | unicode - :param password: The password for the user. Only required when creating the user. - :type password: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - """ - params = { - "password": password, - } - api_path = "/v1/auth/{mount_point}/login/{username}".format( - mount_point=mount_point, username=username - ) - return self._adapter.login( - url=api_path, - use_token=use_token, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__init__.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__init__.py deleted file mode 100644 index 03cf0b5..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__init__.py +++ /dev/null @@ -1,71 +0,0 @@ -"""Vault secrets engines endpoints""" -from hvac.api.secrets_engines.active_directory import ActiveDirectory -from hvac.api.secrets_engines.aws import Aws -from hvac.api.secrets_engines.azure import Azure -from hvac.api.secrets_engines.consul import Consul -from hvac.api.secrets_engines.database import Database -from hvac.api.secrets_engines.gcp import Gcp -from hvac.api.secrets_engines.identity import Identity -from hvac.api.secrets_engines.kv import Kv -from hvac.api.secrets_engines.kv_v1 import KvV1 -from hvac.api.secrets_engines.kv_v2 import KvV2 -from hvac.api.secrets_engines.ldap import Ldap -from hvac.api.secrets_engines.pki import Pki -from hvac.api.secrets_engines.rabbitmq import RabbitMQ -from hvac.api.secrets_engines.ssh import Ssh -from hvac.api.secrets_engines.transform import Transform -from hvac.api.secrets_engines.transit import Transit -from hvac.api.vault_api_category import VaultApiCategory - -__all__ = ( - "Aws", - "Azure", - "Gcp", - "ActiveDirectory", - "Identity", - "Kv", - "KvV1", - "KvV2", - "Ldap", - "Pki", - "Transform", - "Transit", - "SecretsEngines", - "Database", - "RabbitMQ", - "Ssh", -) - - -class SecretsEngines(VaultApiCategory): - """Secrets Engines.""" - - implemented_classes = [ - Aws, - Azure, - Gcp, - ActiveDirectory, - Identity, - Kv, - Ldap, - Pki, - Transform, - Transit, - Database, - Consul, - RabbitMQ, - Ssh, - ] - unimplemented_classes = [ - "AliCloud", - "Azure", - "GcpKms", - "Nomad", - "Ssh", - "TOTP", - "Cassandra", - "MongoDb", - "Mssql", - "MySql", - "PostgreSql", - ] diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/__init__.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/__init__.cpython-312.pyc deleted file mode 100644 index 87452b4..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/__init__.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/active_directory.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/active_directory.cpython-312.pyc deleted file mode 100644 index 491877c..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/active_directory.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/aws.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/aws.cpython-312.pyc deleted file mode 100644 index 92cd41c..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/aws.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/azure.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/azure.cpython-312.pyc deleted file mode 100644 index a4b9828..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/azure.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/consul.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/consul.cpython-312.pyc deleted file mode 100644 index 4bc2299..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/consul.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/database.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/database.cpython-312.pyc deleted file mode 100644 index 5175604..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/database.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/gcp.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/gcp.cpython-312.pyc deleted file mode 100644 index 057d8c3..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/gcp.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/identity.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/identity.cpython-312.pyc deleted file mode 100644 index 43d814d..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/identity.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/kv.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/kv.cpython-312.pyc deleted file mode 100644 index 1566971..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/kv.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/kv_v1.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/kv_v1.cpython-312.pyc deleted file mode 100644 index d129ba3..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/kv_v1.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/kv_v2.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/kv_v2.cpython-312.pyc deleted file mode 100644 index cce6b68..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/kv_v2.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/ldap.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/ldap.cpython-312.pyc deleted file mode 100644 index 82d1e65..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/ldap.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/pki.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/pki.cpython-312.pyc deleted file mode 100644 index c3d14d5..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/pki.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/rabbitmq.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/rabbitmq.cpython-312.pyc deleted file mode 100644 index da3fc85..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/rabbitmq.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/ssh.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/ssh.cpython-312.pyc deleted file mode 100644 index cd911fe..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/ssh.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/transform.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/transform.cpython-312.pyc deleted file mode 100644 index 3c12a37..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/transform.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/transit.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/transit.cpython-312.pyc deleted file mode 100644 index c4f9e17..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/__pycache__/transit.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/active_directory.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/active_directory.py deleted file mode 100644 index a980f2b..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/active_directory.py +++ /dev/null @@ -1,181 +0,0 @@ -#!/usr/bin/env python -"""Active Directory methods module.""" - -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "ad" - - -class ActiveDirectory(VaultApiBase): - """Active Directory Secrets Engine (API). - Reference: https://www.vaultproject.io/api/secret/ad/index.html - """ - - def configure( - self, - binddn=None, - bindpass=None, - url=None, - userdn=None, - upndomain=None, - ttl=None, - max_ttl=None, - mount_point=DEFAULT_MOUNT_POINT, - *args, - **kwargs - ): - """Configure shared information for the ad secrets engine. - - Supported methods: - POST: /{mount_point}/config. Produces: 204 (empty body) - - :param binddn: Distinguished name of object to bind when performing user and group search. - :type binddn: str | unicode - :param bindpass: Password to use along with binddn when performing user search. - :type bindpass: str | unicode - :param url: Base DN under which to perform user search. - :type url: str | unicode - :param userdn: Base DN under which to perform user search. - :type userdn: str | unicode - :param upndomain: userPrincipalDomain used to construct the UPN string for the authenticating user. - :type upndomain: str | unicode - :param ttl: – The default password time-to-live in seconds. Once the ttl has passed, a password will be rotated the next time it's requested. - :type ttl: int | str - :param max_ttl: The maximum password time-to-live in seconds. No role will be allowed to set a custom ttl greater than the max_ttl - integer number of seconds or Go duration format string.** - :type max_ttl: int | str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "binddn": binddn, - "bindpass": bindpass, - "url": url, - "userdn": userdn, - "upndomain": upndomain, - "ttl": ttl, - "max_ttl": max_ttl, - } - ) - - params.update(kwargs) - - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Read the configured shared information for the ad secrets engine. - - Credentials will be omitted from returned data. - - Supported methods: - GET: /{mount_point}/config. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.get( - url=api_path, - ) - - def create_or_update_role( - self, name, service_account_name=None, ttl=None, mount_point=DEFAULT_MOUNT_POINT - ): - """This endpoint creates or updates the ad role definition. - - :param name: Specifies the name of an existing role against which to create this ad credential. - :type name: str | unicode - :param service_account_name: The name of a pre-existing service account in Active Directory that maps to this role. - This value is required on create and optional on update. - :type service_account_name: str | unicode - :param ttl: Specifies the TTL for this role. - This is provided as a string duration with a time suffix like "30s" or "1h" or as seconds. - If not provided, the default Vault TTL is used. - :type ttl: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ad). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name) - params = { - "name": name, - } - params.update( - utils.remove_nones( - { - "service_account_name": service_account_name, - "ttl": ttl, - } - ) - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint queries for information about a ad role with the given name. - If no role exists with that name, a 404 is returned. - :param name: Specifies the name of the role to query. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ad). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name) - return self._adapter.get( - url=api_path, - ) - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint lists all existing roles in the secrets engine. - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/roles", mount_point) - return self._adapter.list( - url=api_path, - ) - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint deletes a ad role with the given name. - Even if the role does not exist, this endpoint will still return a successful response. - :param name: Specifies the name of the role to delete. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ad). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name) - return self._adapter.delete( - url=api_path, - ) - - def generate_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint retrieves the previous and current LDAP password for - the associated account (or rotate if required) - - :param name: Specifies the name of the role to request credentials from. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ad). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/creds/{}", mount_point, name) - return self._adapter.get( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/aws.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/aws.py deleted file mode 100644 index 2eb1427..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/aws.py +++ /dev/null @@ -1,407 +0,0 @@ -#!/usr/bin/env python -"""Aws methods module.""" -import json - -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.constants.aws import ( - DEFAULT_MOUNT_POINT, - ALLOWED_CREDS_ENDPOINTS, - ALLOWED_CREDS_TYPES, -) - - -class Aws(VaultApiBase): - """AWS Secrets Engine (API). - - Reference: https://www.vaultproject.io/api/secret/aws/index.html - """ - - def configure_root_iam_credentials( - self, - access_key, - secret_key, - region=None, - iam_endpoint=None, - sts_endpoint=None, - max_retries=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Configure the root IAM credentials to communicate with AWS. - - There are multiple ways to pass root IAM credentials to the Vault server, specified below with the highest - precedence first. If credentials already exist, this will overwrite them. - - The official AWS SDK is used for sourcing credentials from env vars, shared files, or IAM/ECS instances. - - * Static credentials provided to the API as a payload - * Credentials in the AWS_ACCESS_KEY, AWS_SECRET_KEY, and AWS_REGION environment variables on the server - * Shared credentials files - * Assigned IAM role or ECS task role credentials - - At present, this endpoint does not confirm that the provided AWS credentials are valid AWS credentials with - proper permissions. - - Supported methods: - POST: /{mount_point}/config/root. Produces: 204 (empty body) - - :param access_key: Specifies the AWS access key ID. - :type access_key: str | unicode - :param secret_key: Specifies the AWS secret access key. - :type secret_key: str | unicode - :param region: Specifies the AWS region. If not set it will use the AWS_REGION env var, AWS_DEFAULT_REGION env - var, or us-east-1 in that order. - :type region: str | unicode - :param iam_endpoint: Specifies a custom HTTP IAM endpoint to use. - :type iam_endpoint: str | unicode - :param sts_endpoint: Specifies a custom HTTP STS endpoint to use. - :type sts_endpoint: str | unicode - :param max_retries: Number of max retries the client should use for recoverable errors. The default (-1) falls - back to the AWS SDK's default behavior. - :type max_retries: int - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "access_key": access_key, - "secret_key": secret_key, - "max_retries": max_retries, - } - params.update( - utils.remove_nones( - { - "region": region, - "iam_endpoint": iam_endpoint, - "sts_endpoint": sts_endpoint, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/config/root", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def rotate_root_iam_credentials(self, mount_point=DEFAULT_MOUNT_POINT): - """Rotate static root IAM credentials. - - When you have configured Vault with static credentials, you can use this endpoint to have Vault rotate the - access key it used. Note that, due to AWS eventual consistency, after calling this endpoint, subsequent calls - from Vault to AWS may fail for a few seconds until AWS becomes consistent again. - - In order to call this endpoint, Vault's AWS access key MUST be the only access key on the IAM user; otherwise, - generation of a new access key will fail. Once this method is called, Vault will now be the only entity that - knows the AWS secret key is used to access AWS. - - Supported methods: - POST: /{mount_point}/config/rotate-root. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/rotate-root", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - ) - - def configure_lease(self, lease, lease_max, mount_point=DEFAULT_MOUNT_POINT): - """Configure lease settings for the AWS secrets engine. - - It is optional, as there are default values for lease and lease_max. - - Supported methods: - POST: /{mount_point}/config/lease. Produces: 204 (empty body) - - :param lease: Specifies the lease value provided as a string duration with time suffix. "h" (hour) is the - largest suffix. - :type lease: str | unicode - :param lease_max: Specifies the maximum lease value provided as a string duration with time suffix. "h" (hour) - is the largest suffix. - :type lease_max: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "lease": lease, - "lease_max": lease_max, - } - api_path = utils.format_url( - "/v1/{mount_point}/config/lease", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_lease_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Read the current lease settings for the AWS secrets engine. - - Supported methods: - GET: /{mount_point}/config/lease. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/lease", mount_point=mount_point - ) - return self._adapter.get( - url=api_path, - ) - - def create_or_update_role( - self, - name, - credential_type, - policy_document=None, - default_sts_ttl=None, - max_sts_ttl=None, - role_arns=None, - policy_arns=None, - legacy_params=False, - iam_tags=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create or update the role with the given name. - - If a role with the name does not exist, it will be created. If the role exists, it will be updated with the new - attributes. - - Supported methods: - POST: /{mount_point}/roles/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the role to create. This is part of the request URL. - :type name: str | unicode - :param credential_type: Specifies the type of credential to be used when retrieving credentials from the role. - Must be one of iam_user, assumed_role, or federation_token. - :type credential_type: str | unicode - :param policy_document: The IAM policy document for the role. The behavior depends on the credential type. With - iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM - user has. With assumed_role and federation_token, the policy document will act as a filter on what the - credentials can do. - :type policy_document: dict | str | unicode - :param default_sts_ttl: The default TTL for STS credentials. When a TTL is not specified when STS credentials - are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only - when credential_type is one of assumed_role or federation_token. - :type default_sts_ttl: str | unicode - :param max_sts_ttl: The max allowed TTL for STS credentials (credentials TTL are capped to max_sts_ttl). Valid - only when credential_type is one of assumed_role or federation_token. - :type max_sts_ttl: str | unicode - :param role_arns: Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when - credential_type is assumed_role and prohibited otherwise. This is a comma-separated string or JSON array. - String types supported for Vault legacy parameters. - :type role_arns: list | str | unicode - :param policy_arns: Specifies the ARNs of the AWS managed policies to be attached to IAM users when they are - requested. Valid only when credential_type is iam_user. When credential_type is iam_user, at least one of - policy_arns or policy_document must be specified. This is a comma-separated string or JSON array. - :type policy_arns: list - :param legacy_params: Flag to send legacy (Vault versions < 0.11.0) parameters in the request. When this is set - to True, policy_document and policy_arns are the only parameters used from this method. - :type legacy_params: bool - :param iam_tags: A list of strings representing a key/value pair to be used for any IAM user that is created by - this role. Format is a key and value separated by an =. - :type iam_tags: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if credential_type not in ALLOWED_CREDS_TYPES: - error_msg = 'invalid credential_type argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=credential_type, - allowed_types=", ".join(ALLOWED_CREDS_TYPES), - ) - ) - if isinstance(policy_document, dict): - policy_document = json.dumps(policy_document, indent=4, sort_keys=True) - - if legacy_params: - # Support for Vault <0.11.0 - params = { - "policy": policy_document, - "arn": policy_arns[0] if isinstance(policy_arns, list) else policy_arns, - } - else: - params = { - "credential_type": credential_type, - } - params.update( - utils.remove_nones( - { - "policy_document": policy_document, - "default_sts_ttl": default_sts_ttl, - "max_sts_ttl": max_sts_ttl, - "role_arns": role_arns, - "policy_arns": policy_arns, - "iam_tags": iam_tags, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Query an existing role by the given name. - - If the role does not exist, a 404 is returned. - - Supported methods: - GET: /{mount_point}/roles/{name}. Produces: 200 application/json - - :param name: Specifies the name of the role to read. This is part of the request URL. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """List all existing roles in the secrets engine. - - Supported methods: - LIST: /{mount_point}/roles. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/{mount_point}/roles", mount_point=mount_point) - return self._adapter.list( - url=api_path, - ) - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing role by the given name. - - If the role does not exist, a 404 is returned. - - Supported methods: - DELETE: /{mount_point}/roles/{name}. Produces: 204 (empty body) - - :param name: the name of the role to delete. This - is part of the request URL. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def generate_credentials( - self, - name, - role_arn=None, - ttl=None, - endpoint="creds", - mount_point=DEFAULT_MOUNT_POINT, - role_session_name=None, - ): - """Generates credential based on the named role. - - This role must be created before queried. - - The ``/aws/creds`` and ``/aws/sts`` endpoints are almost identical. The exception is when retrieving credentials for a - role that was specified with the legacy arn or policy parameter. In this case, credentials retrieved through - ``/aws/sts`` must be of either the ``assumed_role`` or ``federation_token`` types, and credentials retrieved through - ``/aws/creds`` must be of the ``iam_user`` type. - - :param name: Specifies the name of the role to generate credentials against. This is part of the request URL. - :type name: str | unicode - :param role_arn: The ARN of the role to assume if ``credential_type`` on the Vault role is assumed_role. Must match - one of the allowed role ARNs in the Vault role. Optional if the Vault role only allows a single AWS role - ARN; required otherwise. - :type role_arn: str | unicode - :param ttl: Specifies the TTL for the use of the STS token. This is specified as a string with a duration - suffix. Valid only when ``credential_type`` is ``assumed_role`` or ``federation_token``. When not specified, the default - sts_ttl set for the role will be used. If that is also not set, then the default value of ``3600s`` will be - used. AWS places limits on the maximum TTL allowed. See the AWS documentation on the ``DurationSeconds`` - parameter for AssumeRole (for ``assumed_role`` credential types) and GetFederationToken (for ``federation_token`` - credential types) for more details. - :type ttl: str | unicode - :param endpoint: Supported endpoints are ``creds`` and ``sts``: - GET: ``/{mount_point}/creds/{name}``. Produces: 200 application/json - POST: ``/{mount_point}/sts/{name}``. Produces: 200 application/json - :type endpoint: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param role_session_name: The role session name to attach to the assumed role ARN. - ``role_session_name`` is limited to 64 characters; if exceeded, the ``role_session_name`` in the assumed role - ARN will be truncated to 64 characters. If ``role_session_name`` is not provided, then it will be generated - dynamically by default. - :type role_session_name: str | unicode - - :return: The JSON response of the request. - :rtype: dict - """ - if endpoint not in ALLOWED_CREDS_ENDPOINTS: - error_msg = 'invalid endpoint argument provided "{arg}", supported types: "{allowed_endpoints}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=endpoint, - allowed_endpoints=", ".join(ALLOWED_CREDS_ENDPOINTS), - ) - ) - params = {} - params.update( - utils.remove_nones( - { - "role_arn": role_arn, - "role_session_name": role_session_name, - "ttl": ttl, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/{endpoint}/{name}", - mount_point=mount_point, - endpoint=endpoint, - name=name, - ) - - if endpoint == "sts": - return self._adapter.post( - url=api_path, - json=params, - ) - else: - return self._adapter.get( - url=api_path, - params=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/azure.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/azure.py deleted file mode 100644 index 6764970..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/azure.py +++ /dev/null @@ -1,201 +0,0 @@ -#!/usr/bin/env python -"""Azure secret engine methods module.""" -import json - -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.constants.azure import VALID_ENVIRONMENTS - -DEFAULT_MOUNT_POINT = "azure" - - -class Azure(VaultApiBase): - """Azure Secrets Engine (API). - - Reference: https://www.vaultproject.io/api/secret/azure/index.html - """ - - def configure( - self, - subscription_id, - tenant_id, - client_id=None, - client_secret=None, - environment=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Configure the credentials required for the plugin to perform API calls to Azure. - - These credentials will be used to query roles and create/delete service principals. Environment variables will - override any parameters set in the config. - - Supported methods: - POST: /{mount_point}/config. Produces: 204 (empty body) - - - :param subscription_id: The subscription id for the Azure Active Directory - :type subscription_id: str | unicode - :param tenant_id: The tenant id for the Azure Active Directory. - :type tenant_id: str | unicode - :param client_id: The OAuth2 client id to connect to Azure. - :type client_id: str | unicode - :param client_secret: The OAuth2 client secret to connect to Azure. - :type client_secret: str | unicode - :param environment: The Azure environment. If not specified, Vault will use Azure Public Cloud. - :type environment: str | unicode - :param mount_point: The OAuth2 client secret to connect to Azure. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if environment is not None and environment not in VALID_ENVIRONMENTS: - error_msg = 'invalid environment argument provided "{arg}", supported environments: "{environments}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=environment, - environments=",".join(VALID_ENVIRONMENTS), - ) - ) - params = { - "subscription_id": subscription_id, - "tenant_id": tenant_id, - } - params.update( - utils.remove_nones( - { - "client_id": client_id, - "client_secret": client_secret, - "environment": environment, - } - ) - ) - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Read the stored configuration, omitting client_secret. - - Supported methods: - GET: /{mount_point}/config. Produces: 200 application/json - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") - - def delete_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Delete the stored Azure configuration and credentials. - - Supported methods: - DELETE: /auth/{mount_point}/config. Produces: 204 (empty body) - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.delete( - url=api_path, - ) - - def create_or_update_role( - self, name, azure_roles, ttl=None, max_ttl=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Create or update a Vault role. - - The provided Azure roles must exist for this call to succeed. See the Azure secrets roles docs for more - information about roles. - - Supported methods: - POST: /{mount_point}/roles/{name}. Produces: 204 (empty body) - - - :param name: Name of the role. - :type name: str | unicode - :param azure_roles: List of Azure roles to be assigned to the generated service principal. - :type azure_roles: list(dict) - :param ttl: Specifies the default TTL for service principals generated using this role. Accepts time suffixed - strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. - :type ttl: str | unicode - :param max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time - suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. - :type max_ttl: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "azure_roles": json.dumps(azure_roles), - } - params.update( - utils.remove_nones( - { - "ttl": ttl, - "max_ttl": max_ttl, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """List all of the roles that are registered with the plugin. - - Supported methods: - LIST: /{mount_point}/roles. Produces: 200 application/json - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/{mount_point}/roles", mount_point=mount_point) - response = self._adapter.list( - url=api_path, - ) - return response.get("data") - - def generate_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Generate a new service principal based on the named role. - - Supported methods: - GET: /{mount_point}/creds/{name}. Produces: 200 application/json - - - :param name: Specifies the name of the role to create credentials against. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The data key from the JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/creds/{name}", - mount_point=mount_point, - name=name, - ) - response = self._adapter.get( - url=api_path, - ) - return response.get("data") diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/consul.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/consul.py deleted file mode 100644 index 13376a0..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/consul.py +++ /dev/null @@ -1,171 +0,0 @@ -#!/usr/bin/env python -"""Consul methods module.""" -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "consul" - - -class Consul(VaultApiBase): - """Copnsul Secrets Engine (API). - - Reference: https://www.vaultproject.io/api/secret/consul/index.html - """ - - def configure_access( - self, address, token, scheme=None, mount_point=DEFAULT_MOUNT_POINT - ): - """This endpoint configures the access information for Consul. - This access information is used so that Vault can communicate with Consul and generate Consul tokens. - - :param address: Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". - :type address: str | unicode - :param token: Specifies the Consul ACL token to use. This must be a management type token. - :type token: str | unicode - :param scheme: Specifies the URL scheme to use. - :type scheme: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: consul). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "address": address, - "token": token, - } - params.update( - utils.remove_nones( - { - "scheme": scheme, - } - ) - ) - - api_path = utils.format_url("/v1/{}/config/access", mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def create_or_update_role( - self, - name, - policy=None, - policies=None, - token_type=None, - local=None, - ttl=None, - max_ttl=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint creates or updates the Consul role definition. - If the role does not exist, it will be created. - If the role already exists, it will receive updated attributes. - - :param name: Specifies the name of an existing role against which to create this Consul credential. - :type name: str | unicode - :param token_type: Specifies the type of token to create when using this role. - Valid values are "client" or "management". - :type token_type: str | unicode - :param policy: Specifies the base64 encoded ACL policy. - The ACL format can be found in the Consul ACL documentation (https://www.consul.io/docs/internals/acl.html). - This is required unless the token_type is management. - :type policy: str | unicode - :param policies: The list of policies to assign to the generated token. - This is only available in Consul 1.4 and greater. - :type policies: list - :param local: Indicates that the token should not be replicated globally - and instead be local to the current datacenter. Only available in Consul 1.4 and greater. - :type local: bool - :param ttl: Specifies the TTL for this role. - This is provided as a string duration with a time suffix like "30s" or "1h" or as seconds. - If not provided, the default Vault TTL is used. - :type ttl: str | unicode - :param max_ttl: Specifies the max TTL for this role. - This is provided as a string duration with a time suffix like "30s" or "1h" or as seconds. - If not provided, the default Vault Max TTL is used. - :type max_ttl: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: consul). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name) - - params = utils.remove_nones( - { - "token_type": token_type, - "policy": policy, - "policies": policies, - "local": local, - "ttl": ttl, - "max_ttl": max_ttl, - } - ) - - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint queries for information about a Consul role with the given name. - If no role exists with that name, a 404 is returned. - - :param name: Specifies the name of the role to query. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: consul). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name) - - return self._adapter.get( - url=api_path, - ) - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint lists all existing roles in the secrets engine. - - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url("/v1/{}/roles", mount_point) - return self._adapter.list( - url=api_path, - ) - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint deletes a Consul role with the given name. - Even if the role does not exist, this endpoint will still return a successful response. - - :param name: Specifies the name of the role to delete. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: consul). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name) - return self._adapter.delete( - url=api_path, - ) - - def generate_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint generates a dynamic Consul token based on the given role definition. - - :param name: Specifies the name of an existing role against which to create this Consul credential. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: consul). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/creds/{}", mount_point, name) - - return self._adapter.get( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/database.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/database.py deleted file mode 100644 index cac8e94..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/database.py +++ /dev/null @@ -1,405 +0,0 @@ -#!/usr/bin/env python -"""Database methods module.""" -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "database" - - -class Database(VaultApiBase): - """Database Secrets Engine (API). - - Reference: https://www.vaultproject.io/api/secret/databases/index.html - """ - - def configure( - self, - name, - plugin_name, - verify_connection=None, - allowed_roles=None, - root_rotation_statements=None, - mount_point=DEFAULT_MOUNT_POINT, - *args, - **kwargs - ): - """This endpoint configures the connection string used to communicate with the desired database. - In addition to the parameters listed here, each Database plugin has additional, - database plugin specific, parameters for this endpoint. - Please read the HTTP API for the plugin you'd wish to configure to see the full list of additional parameters. - - :param name: Specifies the name for this database connection. This is specified as part of the URL. - :type name: str | unicode - :param plugin_name: Specifies the name of the plugin to use for this connection. - :type plugin_name: str | unicode - :param verify_connection: Specifies if the connection is verified during initial configuration. - :type verify_connection: bool - :param allowed_roles: List of the roles allowed to use this connection. Defaults to empty (no roles), - if contains a "*" any role can use this connection. - :type allowed_roles: list - :param root_rotation_statements: Specifies the database statements to be executed to rotate - the root user's credentials. - :type root_rotation_statements: list - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "plugin_name": plugin_name, - } - params.update( - utils.remove_nones( - { - "allowed_roles": allowed_roles, - "verify_connection": verify_connection, - "root_rotation_statements": root_rotation_statements, - } - ) - ) - - params.update(kwargs) - - api_path = utils.format_url( - "/v1/{mount_point}/config/{name}", mount_point=mount_point, name=name - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def rotate_root_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint is used to rotate the root superuser credentials stored for the database connection. - This user must have permissions to update its own password. - - :param name: Specifies the name of the connection to rotate. - :type name: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/rotate-root/{name}", mount_point=mount_point, name=name - ) - return self._adapter.post( - url=api_path, - ) - - def read_connection(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint returns the configuration settings for a connection. - - :param name: Specifies the name of the connection to read. - :type name: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url( - "/v1/{mount_point}/config/{name}", mount_point=mount_point, name=name - ) - - return self._adapter.get( - url=api_path, - ) - - def list_connections(self, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint returns a list of available connections. - - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.list( - url=api_path, - ) - - def delete_connection(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint deletes a connection. - - - :param name: Specifies the name of the connection to delete. - :type name: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/{name}", mount_point=mount_point, name=name - ) - return self._adapter.delete( - url=api_path, - ) - - def reset_connection(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint closes a connection and it's underlying plugin and - restarts it with the configuration stored in the barrier. - - :param name: Specifies the name of the connection to reset. - :type name: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/reset/{name}", mount_point=mount_point, name=name - ) - return self._adapter.post( - url=api_path, - ) - - def create_role( - self, - name, - db_name, - creation_statements, - default_ttl=None, - max_ttl=None, - revocation_statements=None, - rollback_statements=None, - renew_statements=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint creates or updates a role definition. - - :param name: Specifies the database role to manage. - :type name: str | unicode - :param db_name: The name of the database connection to use for this role. - :type db_name: str | unicode - :param creation_statements: Specifies the database statements executed to create and configure a user. - :type creation_statements: list - :param default_ttl: Specifies the TTL for the leases associated with this role. - :type default_ttl: int - :param max_ttl: Specifies the maximum TTL for the leases associated with this role. - :type max_ttl: int - :param revocation_statements: Specifies the database statements to be executed to revoke a user. - :type revocation_statements: list - :param rollback_statements: Specifies the database statements to be executed to rollback - a create operation in the event of an error. - :type rollback_statements: list - :param renew_statements: Specifies the database statements to be executed to renew a user. - :type renew_statements: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - params = { - "db_name": db_name, - "creation_statements": creation_statements, - } - params.update( - utils.remove_nones( - { - "default_ttl": default_ttl, - "max_ttl": max_ttl, - "revocation_statements": revocation_statements, - "rollback_statements": rollback_statements, - "renew_statements": renew_statements, - } - ) - ) - - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", mount_point=mount_point, name=name - ) - return self._adapter.post(url=api_path, json=params) - - def create_static_role( - self, - name, - db_name, - username, - rotation_statements, - rotation_period=86400, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint creates or updates a static role definition. - - :param name: Specifies the name of the role to create. - :type name: str | unicode - :param db_name: The name of the database connection to use for this role. - :type db_name: str | unicode - :param username: Specifies the database username that the Vault role `name` above corresponds to. - :type username: str | unicode - :param rotation_statements: Specifies the database statements to be executed to rotate the password for the configured database user. - Not every plugin type will support this functionality. See the plugin's API page for more information on support and - formatting for this parameter. - :type rotation_statements: list - :param rotation_period: Specifies the amount of time Vault should wait before rotating the password. The minimum is 5 seconds. - :type rotation_period: int - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - params = { - "db_name": db_name, - "username": username, - "rotation_statements": rotation_statements, - "rotation_period": rotation_period, - } - - api_path = utils.format_url( - "/v1/{mount_point}/static-roles/{name}", mount_point=mount_point, name=name - ) - return self._adapter.post(url=api_path, json=params) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint queries the role definition. - - :param name: Specifies the name of the role to read. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", mount_point=mount_point, name=name - ) - - return self._adapter.get( - url=api_path, - ) - - def read_static_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint queries the static role definition. - - :param name: Specifies the name of the role to read. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url( - "/v1/{mount_point}/static-roles/{name}", mount_point=mount_point, name=name - ) - - return self._adapter.get( - url=api_path, - ) - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint returns a list of available roles. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url("/v1/{mount_point}/roles", mount_point=mount_point) - return self._adapter.list( - url=api_path, - ) - - def list_static_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint returns a list of available static roles. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url( - "/v1/{mount_point}/static-roles", mount_point=mount_point - ) - return self._adapter.list( - url=api_path, - ) - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint deletes the role definition. - - :param name: Specifies the name of the role to delete. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", mount_point=mount_point, name=name - ) - return self._adapter.delete( - url=api_path, - ) - - def delete_static_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint deletes the static role definition. - - :param name: Specifies the name of the role to delete. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/static-roles/{name}", mount_point=mount_point, name=name - ) - return self._adapter.delete( - url=api_path, - ) - - def generate_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint generates a new set of dynamic credentials based on the named role. - - :param name: Specifies the name of the role to create credentials against - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url( - "/v1/{mount_point}/creds/{name}", mount_point=mount_point, name=name - ) - - return self._adapter.get( - url=api_path, - ) - - def get_static_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint returns the current credentials based on the named static role. - - :param name: Specifies the name of the role to create credentials against - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url( - "/v1/{mount_point}/static-creds/{name}", mount_point=mount_point, name=name - ) - - return self._adapter.get( - url=api_path, - ) - - def rotate_static_role_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint is used to rotate the Static Role credentials stored for a given role name. - While Static Roles are rotated automatically by Vault at configured rotation periods, - users can use this endpoint to manually trigger a rotation to change the stored password and - reset the TTL of the Static Role's password. - - :param name: Specifies the name of the role to create credentials against - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - api_path = utils.format_url( - "/v1/{mount_point}/rotate-role/{name}", mount_point=mount_point, name=name - ) - - return self._adapter.post( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/gcp.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/gcp.py deleted file mode 100644 index eb1f2c9..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/gcp.py +++ /dev/null @@ -1,746 +0,0 @@ -#!/usr/bin/env python -"""Gcp methods module.""" -import json -import logging - -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.constants.gcp import ( - ALLOWED_SECRETS_TYPES, - SERVICE_ACCOUNT_KEY_ALGORITHMS, - SERVICE_ACCOUNT_KEY_TYPES, -) - -DEFAULT_MOUNT_POINT = "gcp" - - -class Gcp(VaultApiBase): - """Google Cloud Secrets Engine (API). - - Reference: https://www.vaultproject.io/api/secret/gcp/index.html - """ - - def configure( - self, credentials=None, ttl=None, max_ttl=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Configure shared information for the Gcp secrets engine. - - Supported methods: - POST: /{mount_point}/config. Produces: 204 (empty body) - - :param credentials: JSON credentials (either file contents or '@path/to/file') See docs for alternative ways to - pass in to this parameter, as well as the required permissions. - :type credentials: str | unicode - :param ttl: – Specifies default config TTL for long-lived credentials (i.e. service account keys). Accepts - integer number of seconds or Go duration format string. - :type ttl: int | str - :param max_ttl: Specifies the maximum config TTL for long-lived credentials (i.e. service account keys). Accepts - integer number of seconds or Go duration format string.** - :type max_ttl: int | str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "credentials": credentials, - "ttl": ttl, - "max_ttl": max_ttl, - } - ) - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def rotate_root_credentials(self, mount_point=DEFAULT_MOUNT_POINT): - """Rotate the GCP service account credentials used by Vault for this mount. - - A new key will be generated for the service account, replacing the internal value, and then a deletion of the - old service account key is scheduled. Note that this does not create a new service account, only a new version - of the service account key. - - Supported methods: - POST: /{mount_point}/config/rotate-root. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/rotate-root", - mount_point=mount_point, - ) - return self._adapter.post( - url=api_path, - ) - - def read_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Read the configured shared information for the Gcp secrets engine. - - Credentials will be omitted from returned data. - - Supported methods: - GET: /{mount_point}/config. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.get( - url=api_path, - ) - - def create_or_update_roleset( - self, - name, - project, - bindings, - secret_type=None, - token_scopes=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create a roleset or update an existing roleset. - - See roleset docs for the GCP secrets backend to learn more about what happens when you create or update a - roleset. - - Supported methods: - POST: /{mount_point}/roleset/{name}. Produces: 204 (empty body) - - :param name: Name of the role. Cannot be updated. - :type name: str | unicode - :param project: Name of the GCP project that this roleset's service account will belong to. Cannot be updated. - :type project: str | unicode - :param bindings: Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string) - :type bindings: str | unicode - :param secret_type: Cannot be updated. - :type secret_type: str | unicode - :param token_scopes: List of OAuth scopes to assign to access_token secrets generated under this role set - (access_token role sets only) - :type token_scopes: list[str] - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if secret_type is not None and secret_type not in ALLOWED_SECRETS_TYPES: - error_msg = 'unsupported secret_type argument provided "{arg}", supported types: "{secret_type}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=secret_type, - secret_type=",".join(ALLOWED_SECRETS_TYPES), - ) - ) - - if isinstance(bindings, dict): - bindings = json.dumps(bindings).replace(" ", "") - logging.debug("bindings: %s" % bindings) - - params = { - "project": project, - "bindings": bindings, - } - params.update( - utils.remove_nones( - { - "secret_type": secret_type, - "token_scopes": token_scopes, - } - ) - ) - - api_path = utils.format_url( - "/v1/{mount_point}/roleset/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def rotate_roleset_account(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Rotate the service account this roleset uses to generate secrets. - - This also replaces the key access_token roleset. This can be used to invalidate old secrets generated by the - roleset or fix issues if a roleset's service account (and/or keys) was changed outside of Vault (i.e. - through GCP APIs/cloud console). - - Supported methods: - POST: /{mount_point}/roleset/{name}/rotate. Produces: 204 (empty body) - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/roleset/{name}/rotate", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - ) - - def rotate_roleset_account_key(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Rotate the service account key this roleset uses to generate access tokens. - - This does not recreate the roleset service account. - - Supported methods: - POST: /{mount_point}/roleset/{name}/rotate-key. Produces: 204 (empty body) - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/roleset/{name}/rotate-key", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - ) - - def read_roleset(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Read a roleset. - - Supported methods: - GET: /{mount_point}/roleset/{name}. Produces: 200 application/json - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/roleset/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_rolesets(self, mount_point=DEFAULT_MOUNT_POINT): - """List configured rolesets. - - Supported methods: - LIST: /{mount_point}/rolesets. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/rolesets", mount_point=mount_point - ) - return self._adapter.list( - url=api_path, - ) - - def delete_roleset(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing roleset by the given name. - - Supported methods: - DELETE: /{mount_point}/roleset/{name} Produces: 200 application/json - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/roleset/{name}", - name=name, - mount_point=mount_point, - ) - return self._adapter.delete( - url=api_path, - ) - - def generate_oauth2_access_token(self, roleset, mount_point=DEFAULT_MOUNT_POINT): - """Generate an OAuth2 token with the scopes defined on the roleset. - - This OAuth access token can be used in GCP API calls, e.g. curl -H "Authorization: Bearer $TOKEN" ... - - Supported methods: - GET: /{mount_point}/token/{roleset}. Produces: 200 application/json - - :param roleset: Name of an roleset with secret type access_token to generate access_token under. - :type roleset: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/token/{roleset}", - mount_point=mount_point, - roleset=roleset, - ) - return self._adapter.get( - url=api_path, - ) - - def generate_service_account_key( - self, - roleset, - key_algorithm="KEY_ALG_RSA_2048", - key_type="TYPE_GOOGLE_CREDENTIALS_FILE", - method="POST", - mount_point=DEFAULT_MOUNT_POINT, - ): - """Generate Secret (IAM Service Account Creds): Service Account Key - - If using GET ('read'), the optional parameters will be set to their defaults. Use POST if you want to specify - different values for these params. - - :param roleset: Name of an roleset with secret type service_account_key to generate key under. - :type roleset: str | unicode - :param key_algorithm: Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose - other values (i.e. 1k), - :type key_algorithm: str | unicode - :param key_type: Private key type to generate. Defaults to JSON credentials file. - :type key_type: str | unicode - :param method: Supported methods: - POST: /{mount_point}/key/{roleset}. Produces: 200 application/json - GET: /{mount_point}/key/{roleset}. Produces: 200 application/json - :type method: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/key/{roleset}", - mount_point=mount_point, - roleset=roleset, - ) - - return self._generate_service_account_key( - api_path, key_algorithm, key_type, method - ) - - def create_or_update_static_account( - self, - name, - service_account_email, - bindings=None, - secret_type=None, - token_scopes=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create a static account or update an existing static account. - - See static account docs for the GCP secrets backend to learn more about what happens when you create or update a - static account. - - Supported methods: - POST: /{mount_point}/static-account/{name}. Produces: 204 (empty body) - - :param name: Name of the static account. Cannot be updated. - :type name: str | unicode - :param service_account_email: Email of the GCP service account to manage. Cannot be updated. - :type service_account_email: str | unicode - :param bindings: Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string) - :type bindings: str | unicode - :param secret_type: Type of secret generated for this static account. Accepted values: access_token, - service_account_key. Cannot be updated. - :type secret_type: str | unicode - :param token_scopes: List of OAuth scopes to assign to access_token secrets generated under this static account - (access_token static accounts only) - :type token_scopes: list[str] - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if secret_type is not None and secret_type not in ALLOWED_SECRETS_TYPES: - error_msg = 'unsupported secret_type argument provided "{arg}", supported types: "{secret_type}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=secret_type, - secret_type=",".join(ALLOWED_SECRETS_TYPES), - ) - ) - - if isinstance(bindings, dict): - bindings = json.dumps(bindings).replace(" ", "") - logging.debug("bindings: %s" % bindings) - - params = { - "service_account_email": service_account_email, - } - params.update( - utils.remove_nones( - { - "bindings": bindings, - "secret_type": secret_type, - "token_scopes": token_scopes, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/static-account/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def rotate_static_account_key(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Rotate the service account key this static account uses to generate access tokens. - - This does not recreate the service account. - - Supported methods: - POST: /{mount_point}/static-account/{name}/rotate-key. Produces: 204 (empty body) - - :param name: Name of the static account. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/static-account/{name}/rotate-key", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - ) - - def read_static_account(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Read a static account. - - Supported methods: - GET: /{mount_point}/static-account/{name}. Produces: 200 application/json - - :param name: Name of the static account. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/static-account/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_static_accounts(self, mount_point=DEFAULT_MOUNT_POINT): - """List configured static accounts. - - Supported methods: - LIST: /{mount_point}/static-accounts. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/static-accounts", mount_point=mount_point - ) - return self._adapter.list( - url=api_path, - ) - - def delete_static_account(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing static account by the given name. - - Supported methods: - DELETE: /{mount_point}/static-account/{name} Produces: 204 (empty body) - - :param name: Name of the static account. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/static-account/{name}", - name=name, - mount_point=mount_point, - ) - return self._adapter.delete( - url=api_path, - ) - - def generate_static_account_oauth2_access_token( - self, name, mount_point=DEFAULT_MOUNT_POINT - ): - """Generate an OAuth2 token with the scopes defined on the static account. - - This OAuth access token can be used in GCP API calls, e.g. curl -H "Authorization: Bearer $TOKEN" ... - - Supported methods: - GET: /{mount_point}/static-account/{name}/token. Produces: 200 application/json - - :param name: Name of a static account with secret type access_token to generate access_token under. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/static-account/{name}/token", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def generate_static_account_service_account_key( - self, - name, - key_algorithm="KEY_ALG_RSA_2048", - key_type="TYPE_GOOGLE_CREDENTIALS_FILE", - method="POST", - mount_point=DEFAULT_MOUNT_POINT, - ): - """Generate Secret (IAM Service Account Creds): Service Account Key - - If using GET ('read'), the optional parameters will be set to their defaults. Use POST if you want to specify - different values for these params. - - :param name: Name of a static account with secret type service_account_key to generate key under. - :type name: str | unicode - :param key_algorithm: Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose - other values (i.e. 1k), - :type key_algorithm: str | unicode - :param key_type: Private key type to generate. Defaults to JSON credentials file. - :type key_type: str | unicode - :param method: Supported methods: - POST: /v1/{mount_point}/static-account/{name}/key. Produces: 200 application/json - GET: /v1/{mount_point}/static-account/{name}/key. Produces: 200 application/json - :type method: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/static-account/{name}/key", - mount_point=mount_point, - name=name, - ) - - return self._generate_service_account_key( - api_path, key_algorithm, key_type, method - ) - - def create_or_update_impersonated_account( - self, - name, - service_account_email, - token_scopes=None, - ttl=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create an impersonated account or update an existing impersonated account. - - See impersonated account docs for the GCP secrets backend to learn more about what happens when you create or update an - impersonated account. - - Supported methods: - POST: /{mount_point}/impersonated-account/{name}. Produces: 204 (empty body) - - :param name: Name of the impersonated account. Cannot be updated. - :type name: str | unicode - :param service_account_email: Email of the GCP service account to manage. Cannot be updated. - :type service_account_email: str | unicode - :param token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account - :type token_scopes: list[str] - :param ttl: Lifetime of the token generated. Defaults to 1 hour and is limited to a maximum of 12 hours. - Uses duration format strings. - :type ttl: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "service_account_email": service_account_email, - } - params.update( - utils.remove_nones( - { - "token_scopes": token_scopes, - "ttl": ttl, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/impersonated-account/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_impersonated_account(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Read an impersonated account. - - Supported methods: - GET: /{mount_point}/impersonated-account/{name}. Produces: 200 application/json - - :param name: Name of the impersonated account. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/impersonated-account/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_impersonated_accounts(self, mount_point=DEFAULT_MOUNT_POINT): - """List configured impersonated accounts. - - Supported methods: - LIST: /{mount_point}/impersonated-accounts. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/impersonated-accounts", mount_point=mount_point - ) - return self._adapter.list( - url=api_path, - ) - - def delete_impersonated_account(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing impersonated account by the given name. - - Supported methods: - DELETE: /{mount_point}/impersonated-account/{name} Produces: 204 (empty body) - - :param name: Name of the impersonated account. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/impersonated-account/{name}", - name=name, - mount_point=mount_point, - ) - return self._adapter.delete( - url=api_path, - ) - - def generate_impersonated_account_oauth2_access_token( - self, name, mount_point=DEFAULT_MOUNT_POINT - ): - """Generate an OAuth2 token with the scopes defined on the impersonated account. - - This OAuth access token can be used in GCP API calls, e.g. curl -H "Authorization: Bearer $TOKEN" ... - - Supported methods: - GET: /{mount_point}/impersonated-account/{name}/token. Produces: 200 application/json - - :param name: Name of the impersonated account to generate an access token under. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/impersonated-account/{name}/token", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def _generate_service_account_key( - self, - api_path, - key_algorithm="KEY_ALG_RSA_2048", - key_type="TYPE_GOOGLE_CREDENTIALS_FILE", - method="POST", - ): - if method == "POST": - if key_algorithm not in SERVICE_ACCOUNT_KEY_ALGORITHMS: - error_msg = 'unsupported key_algorithm argument provided "{arg}", supported algorithms: "{algorithms}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=key_algorithm, - algorithms=",".join(SERVICE_ACCOUNT_KEY_ALGORITHMS), - ) - ) - if key_type not in SERVICE_ACCOUNT_KEY_TYPES: - error_msg = 'unsupported key_type argument provided "{arg}", supported types: "{key_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=key_type, - key_types=",".join(SERVICE_ACCOUNT_KEY_TYPES), - ) - ) - - params = { - "key_algorithm": key_algorithm, - "key_type": key_type, - } - - response = self._adapter.post( - url=api_path, - json=params, - ) - elif method == "GET": - response = self._adapter.get( - url=api_path, - ) - else: - error_message = '"method" parameter provided invalid value; POST or GET allowed, "{method}" provided'.format( - method=method - ) - raise exceptions.ParamValidationError(error_message) - - return response diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/identity.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/identity.py deleted file mode 100644 index 34d02c9..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/identity.py +++ /dev/null @@ -1,1642 +0,0 @@ -#!/usr/bin/env python -"""Identity secret engine module.""" -import logging - -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.constants.identity import ALLOWED_GROUP_TYPES, DEFAULT_MOUNT_POINT - -logger = logging.getLogger(__name__) - - -class Identity(VaultApiBase): - """Identity Secrets Engine (API). - - Reference: https://www.vaultproject.io/api/secret/identity/entity.html - """ - - def create_or_update_entity( - self, - name, - entity_id=None, - metadata=None, - policies=None, - disabled=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create or update an Entity. - - Supported methods: - POST: /{mount_point}/entity. Produces: 200 application/json - - :param entity_id: ID of the entity. If set, updates the corresponding existing entity. - :type entity_id: str | unicode - :param name: Name of the entity. - :type name: str | unicode - :param metadata: Metadata to be associated with the entity. - :type metadata: dict - :param policies: Policies to be tied to the entity. - :type policies: str | unicode - :param disabled: Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are - not revoked. - :type disabled: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response for creates, the generic response object for updates, of the request. - :rtype: dict | requests.Response - """ - if metadata is not None and not isinstance(metadata, dict): - error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=metadata, - arg_type=type(metadata), - ) - ) - params = utils.remove_nones( - { - "id": entity_id, - "name": name, - "metadata": metadata, - "policies": policies, - "disabled": disabled, - } - ) - api_path = utils.format_url("/v1/{mount_point}/entity", mount_point=mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def create_or_update_entity_by_name( - self, - name, - metadata=None, - policies=None, - disabled=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create or update an entity by a given name. - - Supported methods: - POST: /{mount_point}/entity/name/{name}. Produces: 200 application/json - - :param name: Name of the entity. - :type name: str | unicode - :param metadata: Metadata to be associated with the entity. - :type metadata: dict - :param policies: Policies to be tied to the entity. - :type policies: str | unicode - :param disabled: Whether the entity is disabled. Disabled - entities' associated tokens cannot be used, but are not revoked. - :type disabled: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response for creates, the generic response of the request for updates. - :rtype: requests.Response | dict - """ - if metadata is not None and not isinstance(metadata, dict): - error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=metadata, - arg_type=type(metadata), - ) - ) - params = utils.remove_nones( - { - "metadata": metadata, - "policies": policies, - "disabled": disabled, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/entity/name/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_entity(self, entity_id, mount_point=DEFAULT_MOUNT_POINT): - """Query an entity by its identifier. - - Supported methods: - GET: /auth/{mount_point}/entity/id/{id}. Produces: 200 application/json - - :param entity_id: Identifier of the entity. - :type entity_id: str - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/entity/id/{id}", - mount_point=mount_point, - id=entity_id, - ) - return self._adapter.get(url=api_path) - - def read_entity_by_name(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Query an entity by its name. - - Supported methods: - GET: /{mount_point}/entity/name/{name}. Produces: 200 application/json - - :param name: Name of the entity. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/entity/name/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def update_entity( - self, - entity_id, - name=None, - metadata=None, - policies=None, - disabled=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Update an existing entity. - - Supported methods: - POST: /{mount_point}/entity/id/{id}. Produces: 200 application/json - - :param entity_id: Identifier of the entity. - :type entity_id: str | unicode - :param name: Name of the entity. - :type name: str | unicode - :param metadata: Metadata to be associated with the entity. - :type metadata: dict - :param policies: Policies to be tied to the entity. - :type policies: str | unicode - :param disabled: Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but - are not revoked. - :type disabled: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response where available, otherwise the generic response object, of the request. - :rtype: dict | requests.Response - """ - if metadata is not None and not isinstance(metadata, dict): - error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=metadata, - arg_type=type(metadata), - ) - ) - params = utils.remove_nones( - { - "name": name, - "metadata": metadata, - "policies": policies, - "disabled": disabled, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/entity/id/{id}", - mount_point=mount_point, - id=entity_id, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def delete_entity(self, entity_id, mount_point=DEFAULT_MOUNT_POINT): - """Delete an entity and all its associated aliases. - - Supported methods: - DELETE: /{mount_point}/entity/id/:id. Produces: 204 (empty body) - - :param entity_id: Identifier of the entity. - :type entity_id: str - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/entity/id/{id}", - mount_point=mount_point, - id=entity_id, - ) - return self._adapter.delete( - url=api_path, - ) - - def delete_entity_by_name(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an entity and all its associated aliases, given the entity name. - - Supported methods: - DELETE: /{mount_point}/entity/name/{name}. Produces: 204 (empty body) - - :param name: Name of the entity. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/entity/name/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def list_entities(self, method="LIST", mount_point=DEFAULT_MOUNT_POINT): - """List available entities entities by their identifiers. - - :param method: Supported methods: - LIST: /{mount_point}/entity/id. Produces: 200 application/json - GET: /{mount_point}/entity/id?list=true. Produces: 200 application/json - :type method: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - if method == "LIST": - api_path = utils.format_url( - "/v1/{mount_point}/entity/id", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - - elif method == "GET": - api_path = utils.format_url( - "/v1/{mount_point}/entity/id?list=true", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - else: - error_message = '"method" parameter provided invalid value; LIST or GET allowed, "{method}" provided'.format( - method=method - ) - raise exceptions.ParamValidationError(error_message) - - return response - - def list_entities_by_name(self, method="LIST", mount_point=DEFAULT_MOUNT_POINT): - """List available entities by their names. - - :param method: Supported methods: - LIST: /{mount_point}/entity/name. Produces: 200 application/json - GET: /{mount_point}/entity/name?list=true. Produces: 200 application/json - :type method: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - if method == "LIST": - api_path = utils.format_url( - "/v1/{mount_point}/entity/name", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - - elif method == "GET": - api_path = utils.format_url( - "/v1/{mount_point}/entity/name?list=true", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - else: - error_message = '"method" parameter provided invalid value; LIST or GET allowed, "{method}" provided'.format( - method=method - ) - raise exceptions.ParamValidationError(error_message) - - return response - - def merge_entities( - self, - from_entity_ids, - to_entity_id, - force=None, - mount_point=DEFAULT_MOUNT_POINT, - conflicting_alias_ids_to_keep=None, - ): - """Merge many entities into one entity. - - Supported methods: - POST: /{mount_point}/entity/merge. Produces: 204 (empty body) - - :param from_entity_ids: Entity IDs which needs to get merged. - :type from_entity_ids: array - :param to_entity_id: Entity ID into which all the other entities need to get merged. - :type to_entity_id: str | unicode - :param force: Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the - same type both in entities that are merged from and in entity into which all others are getting merged, - secrets in the destination will be unaltered. If not set, this API will throw an error containing all the - conflicts. - :type force: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param conflicting_alias_ids_to_keep: A list of entity aliases to keep in the case where the to-Entity and - from-Entity have aliases with the same mount accessor. In the case where alias share mount accessors, the - alias ID given in this list will be kept or merged, and the other alias will be deleted. Note that merges - requiring this parameter must have only one from-Entity. - Requires Vault 1.12 or higher - :type conflicting_alias_ids_to_keep: list - :return: The response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "from_entity_ids": from_entity_ids, - "to_entity_id": to_entity_id, - "force": force, - "conflicting_alias_ids_to_keep": conflicting_alias_ids_to_keep, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/entity/merge", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def create_or_update_entity_alias( - self, - name, - canonical_id, - mount_accessor, - alias_id=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create a new alias for an entity. - - Supported methods: - POST: /{mount_point}/entity-alias. Produces: 200 application/json - - :param name: Name of the alias. Name should be the identifier of the client in the authentication source. For - example, if the alias belongs to userpass backend, the name should be a valid username within userpass - backend. If alias belongs to GitHub, it should be the GitHub username. - :type name: str | unicode - :param alias_id: ID of the entity alias. If set, updates the corresponding entity alias. - :type alias_id: str | unicode - :param canonical_id: Entity ID to which this alias belongs to. - :type canonical_id: str | unicode - :param mount_accessor: Accessor of the mount to which the alias should belong to. - :type mount_accessor: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "id": alias_id, - "name": name, - "canonical_id": canonical_id, - "mount_accessor": mount_accessor, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/entity-alias", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_entity_alias(self, alias_id, mount_point=DEFAULT_MOUNT_POINT): - """Query the entity alias by its identifier. - - Supported methods: - GET: /{mount_point}/entity-alias/id/{id}. Produces: 200 application/json - - :param alias_id: Identifier of entity alias. - :type alias_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/entity-alias/id/{id}", - mount_point=mount_point, - id=alias_id, - ) - return self._adapter.get( - url=api_path, - ) - - def update_entity_alias( - self, - alias_id, - name, - canonical_id, - mount_accessor, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Update an existing entity alias. - - Supported methods: - POST: /{mount_point}/entity-alias/id/{id}. Produces: 200 application/json - - :param alias_id: Identifier of the entity alias. - :type alias_id: str | unicode - :param name: Name of the alias. Name should be the identifier of the client in the authentication source. For - example, if the alias belongs to userpass backend, the name should be a valid username within userpass - backend. If alias belongs to GitHub, it should be the GitHub username. - :type name: str | unicode - :param canonical_id: Entity ID to which this alias belongs to. - :type canonical_id: str | unicode - :param mount_accessor: Accessor of the mount to which the alias should belong to. - :type mount_accessor: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response where available, otherwise the generic response object, of the request. - :rtype: dict | requests.Response - """ - params = utils.remove_nones( - { - "name": name, - "canonical_id": canonical_id, - "mount_accessor": mount_accessor, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/entity-alias/id/{id}", - mount_point=mount_point, - id=alias_id, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def list_entity_aliases(self, method="LIST", mount_point=DEFAULT_MOUNT_POINT): - """List available entity aliases by their identifiers. - - :param method: Supported methods: - LIST: /{mount_point}/entity-alias/id. Produces: 200 application/json - GET: /{mount_point}/entity-alias/id?list=true. Produces: 200 application/json - :type method: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The the JSON response of the request. - :rtype: dict - """ - - if method == "LIST": - api_path = utils.format_url( - "/v1/{mount_point}/entity-alias/id", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - - elif method == "GET": - api_path = utils.format_url( - "/v1/{mount_point}/entity-alias/id?list=true", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - else: - error_message = '"method" parameter provided invalid value; LIST or GET allowed, "{method}" provided'.format( - method=method - ) - raise exceptions.ParamValidationError(error_message) - - return response - - def delete_entity_alias(self, alias_id, mount_point=DEFAULT_MOUNT_POINT): - """Delete a entity alias. - - Supported methods: - DELETE: /{mount_point}/entity-alias/id/{alias_id}. Produces: 204 (empty body) - - :param alias_id: Identifier of the entity. - :type alias_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/entity-alias/id/{id}", - mount_point=mount_point, - id=alias_id, - ) - return self._adapter.delete( - url=api_path, - ) - - @staticmethod - def validate_member_id_params_for_group_type( - group_type, params, member_group_ids, member_entity_ids - ): - """Determine whether member ID parameters can be sent with a group create / update request. - - These parameters are only allowed for the internal group type. If they're set for an external group type, Vault - returns a "error" response. - - :param group_type: Type of the group, internal or external - :type group_type: str | unicode - :param params: Params dict to conditionally add the member entity/group ID's to. - :type params: dict - :param member_group_ids: Group IDs to be assigned as group members. - :type member_group_ids: str | unicode - :param member_entity_ids: Entity IDs to be assigned as group members. - :type member_entity_ids: str | unicode - :return: Params dict with conditionally added member entity/group ID's. - :rtype: dict - """ - if group_type == "external": - if member_entity_ids is not None: - logger.warning( - "InvalidRequest: member entities can't be set manually for external groups ignoring member_entity_ids argument." - ) - else: - params["member_entity_ids"] = member_entity_ids - - if group_type == "external": - if member_group_ids is not None: - logger.warning( - "InvalidRequest: member groups can't be set for external groups; ignoring member_group_ids argument." - ) - else: - params["member_group_ids"] = member_group_ids - - return params - - def create_or_update_group( - self, - name, - group_id=None, - group_type="internal", - metadata=None, - policies=None, - member_group_ids=None, - member_entity_ids=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create or update a Group. - - Supported methods: - POST: /{mount_point}/group. Produces: 200 application/json - - :param name: Name of the group. - :type name: str | unicode - :param group_id: ID of the group. If set, updates the corresponding existing group. - :type group_id: str | unicode - :param group_type: Type of the group, internal or external. Defaults to internal. - :type group_type: str | unicode - :param metadata: Metadata to be associated with the group. - :type metadata: dict - :param policies: Policies to be tied to the group. - :type policies: str | unicode - :param member_group_ids: Group IDs to be assigned as group members. - :type member_group_ids: str | unicode - :param member_entity_ids: Entity IDs to be assigned as group members. - :type member_entity_ids: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response where available, otherwise the generic response object, of the request. - :rtype: dict | requests.Response - """ - if metadata is not None and not isinstance(metadata, dict): - error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=metadata, - arg_type=type(metadata), - ) - ) - if group_type not in ALLOWED_GROUP_TYPES: - error_msg = 'unsupported group_type argument provided "{arg}", allowed values: ({allowed_values})' - raise exceptions.ParamValidationError( - error_msg.format( - arg=group_type, - allowed_values=ALLOWED_GROUP_TYPES, - ) - ) - params = utils.remove_nones( - { - "id": group_id, - "name": name, - "type": group_type, - "metadata": metadata, - "policies": policies, - } - ) - - Identity.validate_member_id_params_for_group_type( - group_type=group_type, - params=params, - member_group_ids=member_group_ids, - member_entity_ids=member_entity_ids, - ) - - api_path = utils.format_url("/v1/{mount_point}/group", mount_point=mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_group(self, group_id, mount_point=DEFAULT_MOUNT_POINT): - """Query the group by its identifier. - - Supported methods: - GET: /{mount_point}/group/id/{id}. Produces: 200 application/json - - :param group_id: Identifier of the group. - :type group_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/group/id/{id}", - mount_point=mount_point, - id=group_id, - ) - return self._adapter.get( - url=api_path, - ) - - def update_group( - self, - group_id, - name, - group_type="internal", - metadata=None, - policies=None, - member_group_ids=None, - member_entity_ids=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Update an existing group. - - Supported methods: - POST: /{mount_point}/group/id/{id}. Produces: 200 application/json - - :param group_id: Identifier of the entity. - :type group_id: str | unicode - :param name: Name of the group. - :type name: str | unicode - :param group_type: Type of the group, internal or external. Defaults to internal. - :type group_type: str | unicode - :param metadata: Metadata to be associated with the group. - :type metadata: dict - :param policies: Policies to be tied to the group. - :type policies: str | unicode - :param member_group_ids: Group IDs to be assigned as group members. - :type member_group_ids: str | unicode - :param member_entity_ids: Entity IDs to be assigned as group members. - :type member_entity_ids: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response where available, otherwise the generic response object, of the request. - :rtype: dict | requests.Response - """ - if metadata is not None and not isinstance(metadata, dict): - error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=metadata, - arg_type=type(metadata), - ) - ) - if group_type not in ALLOWED_GROUP_TYPES: - error_msg = 'unsupported group_type argument provided "{arg}", allowed values: ({allowed_values})' - raise exceptions.ParamValidationError( - error_msg.format( - arg=group_type, - allowed_values=ALLOWED_GROUP_TYPES, - ) - ) - params = utils.remove_nones( - { - "name": name, - "type": group_type, - "metadata": metadata, - "policies": policies, - } - ) - - Identity.validate_member_id_params_for_group_type( - group_type=group_type, - params=params, - member_group_ids=member_group_ids, - member_entity_ids=member_entity_ids, - ) - - api_path = utils.format_url( - "/v1/{mount_point}/group/id/{id}", - mount_point=mount_point, - id=group_id, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def delete_group(self, group_id, mount_point=DEFAULT_MOUNT_POINT): - """Delete a group. - - Supported methods: - DELETE: /{mount_point}/group/id/{id}. Produces: 204 (empty body) - - :param group_id: Identifier of the entity. - :type group_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/group/id/{id}", - mount_point=mount_point, - id=group_id, - ) - return self._adapter.delete( - url=api_path, - ) - - def list_groups(self, method="LIST", mount_point=DEFAULT_MOUNT_POINT): - """List available groups by their identifiers. - - :param method: Supported methods: - LIST: /{mount_point}/group/id. Produces: 200 application/json - GET: /{mount_point}/group/id?list=true. Produces: 200 application/json - :type method: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - - if method == "LIST": - api_path = utils.format_url( - "/v1/{mount_point}/group/id", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - - elif method == "GET": - api_path = utils.format_url( - "/v1/{mount_point}/group/id?list=true", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - else: - error_message = '"method" parameter provided invalid value; LIST or GET allowed, "{method}" provided'.format( - method=method - ) - raise exceptions.ParamValidationError(error_message) - - return response - - def list_groups_by_name(self, method="LIST", mount_point=DEFAULT_MOUNT_POINT): - """List available groups by their names. - - :param method: Supported methods: - LIST: /{mount_point}/group/name. Produces: 200 application/json - GET: /{mount_point}/group/name?list=true. Produces: 200 application/json - :type method: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - - if method == "LIST": - api_path = utils.format_url( - "/v1/{mount_point}/group/name", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - - elif method == "GET": - api_path = utils.format_url( - "/v1/{mount_point}/group/name?list=true", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - else: - error_message = '"method" parameter provided invalid value; LIST or GET allowed, "{method}" provided'.format( - method=method - ) - raise exceptions.ParamValidationError(error_message) - - return response - - def create_or_update_group_by_name( - self, - name, - group_type="internal", - metadata=None, - policies=None, - member_group_ids=None, - member_entity_ids=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create or update a group by its name. - - Supported methods: - POST: /{mount_point}/group/name/{name}. Produces: 200 application/json - - :param name: Name of the group. - :type name: str | unicode - :param group_type: Type of the group, internal or external. Defaults to internal. - :type group_type: str | unicode - :param metadata: Metadata to be associated with the group. - :type metadata: dict - :param policies: Policies to be tied to the group. - :type policies: str | unicode - :param member_group_ids: Group IDs to be assigned as group members. - :type member_group_ids: str | unicode - :param member_entity_ids: Entity IDs to be assigned as group members. - :type member_entity_ids: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - - if metadata is not None and not isinstance(metadata, dict): - error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=metadata, - arg_type=type(metadata), - ) - ) - if group_type not in ALLOWED_GROUP_TYPES: - error_msg = 'unsupported group_type argument provided "{arg}", allowed values: ({allowed_values})' - raise exceptions.ParamValidationError( - error_msg.format( - arg=group_type, - allowed_values=ALLOWED_GROUP_TYPES, - ) - ) - params = utils.remove_nones( - { - "type": group_type, - "metadata": metadata, - "policies": policies, - } - ) - if group_type != "external": - external_only_params = utils.remove_nones( - { - "member_group_ids": member_group_ids, - "member_entity_ids": member_entity_ids, - } - ) - params.update(external_only_params) - api_path = utils.format_url( - "/v1/{mount_point}/group/name/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_group_by_name(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Query a group by its name. - - Supported methods: - GET: /{mount_point}/group/name/{name}. Produces: 200 application/json - - :param name: Name of the group. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/group/name/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def delete_group_by_name(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete a group, given its name. - - Supported methods: - DELETE: /{mount_point}/group/name/{name}. Produces: 204 (empty body) - - :param name: Name of the group. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/group/name/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def create_or_update_group_alias( - self, - name, - alias_id=None, - mount_accessor=None, - canonical_id=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Creates or update a group alias. - - Supported methods: - POST: /{mount_point}/group-alias. Produces: 200 application/json - - :param alias_id: ID of the group alias. If set, updates the corresponding existing group alias. - :type alias_id: str | unicode - :param name: Name of the group alias. - :type name: str | unicode - :param mount_accessor: Mount accessor to which this alias belongs to - :type mount_accessor: str | unicode - :param canonical_id: ID of the group to which this is an alias. - :type canonical_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "id": alias_id, - "name": name, - "mount_accessor": mount_accessor, - "canonical_id": canonical_id, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/group-alias", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def update_group_alias( - self, - entity_id, - name, - mount_accessor=None, - canonical_id=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Update an existing group alias. - - Supported methods: - POST: /{mount_point}/group-alias/id/{id}. Produces: 200 application/json - - :param entity_id: ID of the group alias. - :type entity_id: str | unicode - :param name: Name of the group alias. - :type name: str | unicode - :param mount_accessor: Mount accessor to which this alias belongs - toMount accessor to which this alias belongs to. - :type mount_accessor: str | unicode - :param canonical_id: ID of the group to which this is an alias. - :type canonical_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "name": name, - "mount_accessor": mount_accessor, - "canonical_id": canonical_id, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/group-alias/id/{id}", - mount_point=mount_point, - id=entity_id, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_group_alias(self, alias_id, mount_point=DEFAULT_MOUNT_POINT): - """Query the group alias by its identifier. - - Supported methods: - GET: /{mount_point}/group-alias/id/:id. Produces: 200 application/json - - :param alias_id: ID of the group alias. - :type alias_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/group-alias/id/{id}", - mount_point=mount_point, - id=alias_id, - ) - return self._adapter.get( - url=api_path, - ) - - def delete_group_alias(self, entity_id, mount_point=DEFAULT_MOUNT_POINT): - """Delete a group alias. - - Supported methods: - DELETE: /{mount_point}/group-alias/id/{id}. Produces: 204 (empty body) - - :param entity_id: ID of the group alias. - :type entity_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/group-alias/id/{id}", - mount_point=mount_point, - id=entity_id, - ) - return self._adapter.delete( - url=api_path, - ) - - def list_group_aliases(self, method="LIST", mount_point=DEFAULT_MOUNT_POINT): - """List available group aliases by their identifiers. - - :param method: Supported methods: - LIST: /{mount_point}/group-alias/id. Produces: 200 application/json - GET: /{mount_point}/group-alias/id?list=true. Produces: 200 application/json - :type method: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The "data" key from the JSON response of the request. - :rtype: dict - """ - - if method == "LIST": - api_path = utils.format_url( - "/v1/{mount_point}/group-alias/id", mount_point=mount_point - ) - response = self._adapter.list( - url=api_path, - ) - elif method == "GET": - api_path = utils.format_url( - "/v1/{mount_point}/group-alias/id?list=true", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - else: - error_message = '"method" parameter provided invalid value; LIST or GET allowed, "{method}" provided'.format( - method=method - ) - raise exceptions.ParamValidationError(error_message) - - return response - - def lookup_entity( - self, - name=None, - entity_id=None, - alias_id=None, - alias_name=None, - alias_mount_accessor=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Query an entity based on the given criteria. - - The criteria can be name, id, alias_id, or a combination of alias_name and alias_mount_accessor. - - Supported methods: - POST: /{mount_point}/lookup/entity. Produces: 200 application/json - - :param name: Name of the entity. - :type name: str | unicode - :param entity_id: ID of the entity. - :type entity_id: str | unicode - :param alias_id: ID of the alias. - :type alias_id: str | unicode - :param alias_name: Name of the alias. This should be supplied in conjunction with alias_mount_accessor. - :type alias_name: str | unicode - :param alias_mount_accessor: Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with alias_name. - :type alias_mount_accessor: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request if a entity / entity alias is found in the lookup, None otherwise. - :rtype: dict | None - """ - params = {} - if name is not None: - params["name"] = name - elif entity_id is not None: - params["id"] = entity_id - elif alias_id is not None: - params["alias_id"] = alias_id - elif alias_name is not None and alias_mount_accessor is not None: - params["alias_name"] = alias_name - params["alias_mount_accessor"] = alias_mount_accessor - api_path = utils.format_url( - "/v1/{mount_point}/lookup/entity", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def lookup_group( - self, - name=None, - group_id=None, - alias_id=None, - alias_name=None, - alias_mount_accessor=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Query a group based on the given criteria. - - The criteria can be name, id, alias_id, or a combination of alias_name and alias_mount_accessor. - - Supported methods: - POST: /{mount_point}/lookup/group. Produces: 200 application/json - - :param name: Name of the group. - :type name: str | unicode - :param group_id: ID of the group. - :type group_id: str | unicode - :param alias_id: ID of the alias. - :type alias_id: str | unicode - :param alias_name: Name of the alias. This should be supplied in conjunction with alias_mount_accessor. - :type alias_name: str | unicode - :param alias_mount_accessor: Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with alias_name. - :type alias_mount_accessor: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request if a group / group alias is found in the lookup, None otherwise. - :rtype: dict | None - """ - params = {} - if name is not None: - params["name"] = name - elif group_id is not None: - params["id"] = group_id - elif alias_id is not None: - params["alias_id"] = alias_id - elif alias_name is not None and alias_mount_accessor is not None: - params["alias_name"] = alias_name - params["alias_mount_accessor"] = alias_mount_accessor - api_path = utils.format_url( - "/v1/{mount_point}/lookup/group", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def configure_tokens_backend(self, issuer=None, mount_point=DEFAULT_MOUNT_POINT): - """Update configurations for OIDC-compliant identity tokens issued by Vault. - - Supported methods: - POST: {mount_point}/oidc/config. - - :param issuer: Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. - The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port - number and path components, but no query or fragment components. - :type issuer: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The a dict or the response of the configure_tokens_backend request. dict returned when messages - are included in the response body. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "issuer": issuer, - } - ) - - api_path = utils.format_url( - "/v1/{mount_point}/oidc/config", - mount_point=mount_point, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_tokens_backend_configuration(self, mount_point=DEFAULT_MOUNT_POINT): - """Query vault identity tokens configurations. - - Supported methods: - GET: {mount_point}/oidc/config. - - :return: The response of the read_tokens_backend_configuration request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/config", - mount_point=mount_point, - ) - return self._adapter.get( - url=api_path, - ) - - def create_named_key( - self, - name, - rotation_period="24h", - verification_ttl="24h", - allowed_client_ids=None, - algorithm="RS256", - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create or update a named key which is used by a role to sign tokens. - - Supported methods: - POST: {mount_point}/oidc/key/:name. - - :param name: Name of the named key. - :type name: str | unicode - :param rotation_period: How often to generate a new signing key. Can be specified as a number of seconds or as - a time string like "30m" or "6h". - :type rotation_period: str | unicode - :param verification_ttl: Controls how long the public portion of a signing key will be available for - verification after being rotated. - :type verification_ttl: str | unicode - :param allowed_client_ids: List of role client ids allowed to use this key for signing. - If empty, no roles are allowed. If "*", all roles are allowed. - :type allowed_client_ids: list - :param algorithm: Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, - ES512, EdDSA. - :type algorithm: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the create_a_named_key request. - :rtype: dict - """ - params = { - "name": name, - "rotation_period": rotation_period, - "verification_ttl": verification_ttl, - "allowed_client_ids": allowed_client_ids, - "algorithm": algorithm, - } - - api_path = utils.format_url( - "/v1/{mount_point}/oidc/key/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_named_key(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Query a named key and returns its configurations. - - Supported methods: - GET: {mount_point}/oidc/key/:name. - - :param name: Name of the key. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the read_a_named_key request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/key/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def delete_named_key(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete a named key. - - Supported methods: - DELETE: {mount_point}/oidc/key/:name. - - :param name: Name of the key. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_a_named_key request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/key/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def list_named_keys(self, mount_point=DEFAULT_MOUNT_POINT): - """List all named keys. - - Supported methods: - LIST: {mount_point}/oidc/key. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the list_named_keys request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/key", - mount_point=mount_point, - ) - return self._adapter.list( - url=api_path, - ) - - def rotate_named_key(self, name, verification_ttl, mount_point=DEFAULT_MOUNT_POINT): - """Rotate a named key. - - Supported methods: - POST: {mount_point}/oidc/key/:name/rotate. - - :param name: Name of the key to be rotated. - :type name: str | unicode - :param verification_ttl: Controls how long the public portion of the key will be available for verification after being rotated. - Setting verification_ttl here will override the verification_ttl set on the key. - :type verification_ttl: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the rotate_a_named_key request. - :rtype: dict - """ - params = { - "verification_ttl": verification_ttl, - } - api_path = utils.format_url( - "/v1/{mount_point}/oidc/key/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def create_or_update_role( - self, - name, - key, - template=None, - client_id=None, - ttl="24h", - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create or update a role. - - ID tokens are generated against a role and signed against a named key. - - Supported methods: - POST: {mount_point}/oidc/role/:name. - - :param name: Name of the role. - :type name: str | unicode - :param key: A configured named key, the key must already exist. - :type key: str | unicode - :param template: The template string to use for generating tokens. This may be in stringified JSON or - base64 format. - :type template: str | unicode - :param client_id: Optional client ID. A random ID will be generated if left unset. - :type client_id: str | unicode - :param ttl: TTL of the tokens generated against the role. Can be specified as a number of seconds or as a time - string like "30m" or "6h". - :type ttl: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the create_or_update_a_role request. - :rtype: dict - """ - params = utils.remove_nones( - { - "key": key, - "template": template, - "client_id": client_id, - "ttl": ttl, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/oidc/role/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Query a role and returns its configuration. - - Supported methods: - GET: {mount_point}/oidc/role/:name. - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the read_a_role request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/role/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Deletes a role. - - Supported methods: - DELETE: {mount_point}/oidc/role/:name. - - - :param name: Name of the role. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_a_role request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/role/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """ - This endpoint will list all signing keys. - - Supported methods: - LIST: {mount_point}/oidc/role. - - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the list_roles request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/role", - mount_point=mount_point, - ) - return self._adapter.list( - url=api_path, - ) - - def generate_signed_id_token(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Generate a signed ID (OIDC) token. - - Supported methods: - GET: {mount_point}/oidc/token/:name. - - :param name: The name of the role against which to generate a signed ID token - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the generate_a_signed_id_token request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/token/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def introspect_signed_id_token( - self, token, client_id=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Verify the authenticity and active state of a signed ID token. - - Supported methods: - POST: {mount_point}/oidc/introspect. - - - :param token: A signed OIDC compliant ID token - :type token: str | unicode - :param client_id: Specifying the client ID optimizes validation time - :type client_id: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the introspect_a_signed_id_token request. - :rtype: dict - """ - params = utils.remove_nones( - { - "token": token, - "client_id": client_id, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/oidc/introspect", - mount_point=mount_point, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_well_known_configurations(self, mount_point=DEFAULT_MOUNT_POINT): - """Retrieve a set of claims about the identity tokens' configuration. - - The response is a compliant OpenID Provider Configuration Response. - - Supported methods: - GET: {mount_point}/oidc/.well-known/openid-configuration. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the read_well_known_configurations request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/.well-known/openid-configuration", - mount_point=mount_point, - ) - return self._adapter.get( - url=api_path, - ) - - def read_active_public_keys(self, mount_point=DEFAULT_MOUNT_POINT): - """Retrieve the public portion of named keys. - - Clients can use this to validate the authenticity of an identity token. - - Supported methods: - GET: {mount_point}/oidc/.well-known/openid-configuration. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the read_active_public_keys request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/oidc/.well-known/keys", - mount_point=mount_point, - ) - return self._adapter.get( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/kv.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/kv.py deleted file mode 100644 index 3e039c1..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/kv.py +++ /dev/null @@ -1,80 +0,0 @@ -"""Kv secret backend methods module.""" - -import logging - -from hvac.api.secrets_engines import kv_v1, kv_v2 -from hvac.api.vault_api_base import VaultApiBase - -logger = logging.getLogger(__name__) - - -class Kv(VaultApiBase): - """Class containing methods for the key/value secrets_engines backend API routes. - Reference: https://www.vaultproject.io/docs/secrets/kv/index.html - - """ - - allowed_kv_versions = ["1", "2"] - - def __init__(self, adapter, default_kv_version="2"): - """Create a new Kv instance. - - :param adapter: Instance of :py:class:`hvac.adapters.Adapter`; used for performing HTTP requests. - :type adapter: hvac.adapters.Adapter - :param default_kv_version: KV version number (e.g., '1') to use as the default when accessing attributes/methods - under this class. - :type default_kv_version: str | unicode - """ - super().__init__(adapter=adapter) - self._default_kv_version = default_kv_version - - self._kv_v1 = kv_v1.KvV1(adapter=self._adapter) - self._kv_v2 = kv_v2.KvV2(adapter=self._adapter) - - @property - def v1(self): - """Accessor for kv version 1 class / method. Provided via the :py:class:`hvac.api.secrets_engines.kv_v1.KvV1` class. - - :return: This Kv instance's associated KvV1 instance. - :rtype: hvac.api.secrets_engines.kv_v1.KvV1 - """ - return self._kv_v1 - - @property - def v2(self): - """Accessor for kv version 2 class / method. Provided via the :py:class:`hvac.api.secrets_engines.kv_v2.KvV2` class. - - :return: This Kv instance's associated KvV2 instance. - :rtype: hvac.api.secrets_engines.kv_v2.KvV2 - """ - return self._kv_v2 - - @property - def default_kv_version(self): - return self._default_kv_version - - @default_kv_version.setter - def default_kv_version(self, default_kv_version): - if str(default_kv_version) not in self.allowed_kv_versions: - error_message = 'Invalid "default_kv_version"; "{allowed}" allowed, "{provided}" provided'.format( - allowed=",".join(self.allowed_kv_versions), provided=default_kv_version - ) - raise ValueError(error_message) - self._default_kv_version = str(default_kv_version) - - def __getattr__(self, item): - """Overridden magic method used to direct method calls to the appropriate KV version's hvac class. - - :param item: Name of the attribute/method being accessed - :type item: str | unicode - :return: The selected secrets_engines class corresponding to this instance's default_kv_version setting - :rtype: hvac.api.vault_api_base.VaultApiBase - """ - if item in ["_default_kv_version", "default_kv_version"]: - raise AttributeError - if self.default_kv_version == "1": - return getattr(self._kv_v1, item) - elif self.default_kv_version == "2": - return getattr(self._kv_v2, item) - - raise AttributeError diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/kv_v1.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/kv_v1.py deleted file mode 100644 index 9ba0afb..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/kv_v1.py +++ /dev/null @@ -1,144 +0,0 @@ -#!/usr/bin/env python -"""KvV1 methods module.""" -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "secret" - - -class KvV1(VaultApiBase): - """KV Secrets Engine - Version 1 (API). - - Reference: https://www.vaultproject.io/api/secrets/kv/kv-v1.html - """ - - def read_secret(self, path, mount_point=DEFAULT_MOUNT_POINT): - """Retrieve the secret at the specified location. - - Supported methods: - GET: /{mount_point}/{path}. Produces: 200 application/json - - - :param path: Specifies the path of the secret to read. This is specified as part of the URL. - :type path: str | unicode - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_secret request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/{path}", mount_point=mount_point, path=path - ) - return self._adapter.get( - url=api_path, - ) - - def list_secrets(self, path, mount_point=DEFAULT_MOUNT_POINT): - """Return a list of key names at the specified location. - - Folders are suffixed with /. The input must be a folder; list on a file will not return a value. Note that no - policy-based filtering is performed on keys; do not encode sensitive information in key names. The values - themselves are not accessible via this command. - - Supported methods: - LIST: /{mount_point}/{path}. Produces: 200 application/json - - :param path: Specifies the path of the secrets to list. - This is specified as part of the URL. - :type path: str | unicode - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the list_secrets request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/{path}", mount_point=mount_point, path=path - ) - return self._adapter.list( - url=api_path, - ) - - def create_or_update_secret( - self, path, secret, method=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Store a secret at the specified location. - - If the value does not yet exist, the calling token must have an ACL policy granting the create capability. - If the value already exists, the calling token must have an ACL policy granting the update capability. - - Supported methods: - POST: /{mount_point}/{path}. Produces: 204 (empty body) - PUT: /{mount_point}/{path}. Produces: 204 (empty body) - - :param path: Specifies the path of the secrets to create/update. This is specified as part of the URL. - :type path: str | unicode - :param secret: Specifies keys, paired with associated values, to be held at the given location. Multiple - key/value pairs can be specified, and all will be returned on a read operation. A key called ttl will - trigger some special behavior. See the Vault KV secrets engine documentation for details. - :type secret: dict - :param method: Optional parameter to explicitly request a POST (create) or PUT (update) request to the selected - kv secret engine. If no argument is provided for this parameter, hvac attempts to intelligently determine - which method is appropriate. - :type method: str | unicode - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The response of the create_or_update_secret request. - :rtype: requests.Response - """ - if method is None: - # If no method was selected by the caller, use the result of a `read_secret()` call to determine if we need - # to perform an update (PUT) or creation (POST) request. - try: - self.read_secret( - path=path, - mount_point=mount_point, - ) - method = "PUT" - except exceptions.InvalidPath: - method = "POST" - - if method == "POST": - api_path = utils.format_url( - "/v1/{mount_point}/{path}", mount_point=mount_point, path=path - ) - return self._adapter.post( - url=api_path, - json=secret, - ) - - elif method == "PUT": - api_path = utils.format_url( - "/v1/{mount_point}/{path}", mount_point=mount_point, path=path - ) - return self._adapter.put( - url=api_path, - json=secret, - ) - - else: - error_message = '"method" parameter provided invalid value; POST or PUT allowed, "{method}" provided'.format( - method=method - ) - raise exceptions.ParamValidationError(error_message) - - def delete_secret(self, path, mount_point=DEFAULT_MOUNT_POINT): - """Delete the secret at the specified location. - - Supported methods: - DELETE: /{mount_point}/{path}. Produces: 204 (empty body) - - - :param path: Specifies the path of the secret to delete. - This is specified as part of the URL. - :type path: str | unicode - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_secret request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/{path}", mount_point=mount_point, path=path - ) - return self._adapter.delete( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/kv_v2.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/kv_v2.py deleted file mode 100644 index 6a69bc5..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/kv_v2.py +++ /dev/null @@ -1,509 +0,0 @@ -#!/usr/bin/env python -"""KvV2 methods module.""" - -import warnings - -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "secret" - - -class KvV2(VaultApiBase): - """KV Secrets Engine - Version 2 (API). - - Reference: https://www.vaultproject.io/api/secret/kv/kv-v2.html - """ - - def configure( - self, - max_versions=10, - cas_required=None, - delete_version_after="0s", - mount_point=DEFAULT_MOUNT_POINT, - ): - """Configure backend level settings that are applied to every key in the key-value store. - - Supported methods: - POST: /{mount_point}/config. Produces: 204 (empty body) - - - :param max_versions: The number of versions to keep per key. This value applies to all keys, but a key's - metadata setting can overwrite this value. Once a key has more than the configured allowed versions the - oldest version will be permanently deleted. Defaults to 10. - :type max_versions: int - :param cas_required: If true all keys will require the cas parameter to be set on all write requests. - :type cas_required: bool - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :param delete_version_after: Specifies the length of time before a version is deleted. Accepts Go duration format string. - Defaults to "0s" (i.e., disabled). - :type delete_version_after: str - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "max_versions": max_versions, - "delete_version_after": delete_version_after, - } - if cas_required is not None: - params["cas_required"] = cas_required - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_configuration(self, mount_point=DEFAULT_MOUNT_POINT): - """Read the KV Version 2 configuration. - - Supported methods: - GET: /auth/{mount_point}/config. Produces: 200 application/json - - - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/config", - mount_point=mount_point, - ) - return self._adapter.get(url=api_path) - - def read_secret( - self, path, mount_point=DEFAULT_MOUNT_POINT, raise_on_deleted_version=None - ): - """Retrieve the secret at the specified location. - - Equivalent to calling read_secret_version with version=None. - - Supported methods: - GET: /{mount_point}/data/{path}. Produces: 200 application/json - - - :param path: Specifies the path of the secret to read. This is specified as part of the URL. - :type path: str | unicode - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :param raise_on_deleted_version: Changes the behavior when the requested version is deleted. - If True an exception will be raised. - If False, some metadata about the deleted secret is returned. - If None (pre-v3), a default of True will be used and a warning will be issued. - :type raise_on_deleted_version: bool - :return: The JSON response of the request. - :rtype: dict - """ - return self.read_secret_version( - path, - mount_point=mount_point, - raise_on_deleted_version=raise_on_deleted_version, - ) - - def read_secret_version( - self, - path, - version=None, - mount_point=DEFAULT_MOUNT_POINT, - raise_on_deleted_version=None, - ): - """Retrieve the secret at the specified location, with the specified version. - - Supported methods: - GET: /{mount_point}/data/{path}. Produces: 200 application/json - - - :param path: Specifies the path of the secret to read. This is specified as part of the URL. - :type path: str | unicode - :param version: Specifies the version to return. If not set the latest version is returned. - :type version: int - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :param raise_on_deleted_version: Changes the behavior when the requested version is deleted. - If True an exception will be raised. - If False, some metadata about the deleted secret is returned. - If None (pre-v3), a default of True will be used and a warning will be issued. - :type raise_on_deleted_version: bool - :return: The JSON response of the request. - :rtype: dict - """ - - if raise_on_deleted_version is None: - msg = ( - "The raise_on_deleted_version parameter will change its default value to False in hvac v3.0.0. " - "The current default of True will presere previous behavior. " - "To use the old behavior with no warning, explicitly set this value to True. " - "See https://github.com/hvac/hvac/pull/907" - ) - warnings.warn( - message=msg, - category=DeprecationWarning, - stacklevel=2, - ) - raise_on_deleted_version = True - - params = {} - if version is not None: - params["version"] = version - api_path = utils.format_url( - "/v1/{mount_point}/data/{path}", mount_point=mount_point, path=path - ) - try: - return self._adapter.get( - url=api_path, - params=params, - ) - except exceptions.InvalidPath as e: - if not raise_on_deleted_version: - try: - if ( - e.json is not None - and e.json["data"]["metadata"]["deletion_time"] != "" - ): - return e.json - except KeyError: - pass - - raise - - def create_or_update_secret( - self, path, secret, cas=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Create a new version of a secret at the specified location. - - If the value does not yet exist, the calling token must have an ACL policy granting the create capability. If - the value already exists, the calling token must have an ACL policy granting the update capability. - - Supported methods: - POST: /{mount_point}/data/{path}. Produces: 200 application/json - - :param path: Path - :type path: str | unicode - :param cas: Set the "cas" value to use a Check-And-Set operation. If not set the write will be allowed. If set - to 0 a write will only be allowed if the key doesn't exist. If the index is non-zero the write will only be - allowed if the key's current version matches the version specified in the cas parameter. - :type cas: int - :param secret: The contents of the "secret" dict will be stored and returned on read. - :type secret: dict - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "options": {}, - "data": secret, - } - - if cas is not None: - params["options"]["cas"] = cas - - api_path = utils.format_url( - "/v1/{mount_point}/data/{path}", mount_point=mount_point, path=path - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def patch(self, path, secret, mount_point=DEFAULT_MOUNT_POINT): - """Set or update data in the KV store without overwriting. - - :param path: Path - :type path: str | unicode - :param secret: The contents of the "secret" dict will be stored and returned on read. - :type secret: dict - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the create_or_update_secret request. - :rtype: dict - """ - # First, do a read. - try: - current_secret_version = self.read_secret_version( - path=path, - mount_point=mount_point, - ) - except exceptions.InvalidPath: - raise exceptions.InvalidPath( - 'No value found at "{path}"; patch only works on existing data.'.format( - path=path - ) - ) - - # Update existing secret dict. - patched_secret = current_secret_version["data"]["data"] - patched_secret.update(secret) - - # Write back updated secret. - return self.create_or_update_secret( - path=path, - cas=current_secret_version["data"]["metadata"]["version"], - secret=patched_secret, - mount_point=mount_point, - ) - - def delete_latest_version_of_secret(self, path, mount_point=DEFAULT_MOUNT_POINT): - """Issue a soft delete of the secret's latest version at the specified location. - - This marks the version as deleted and will stop it from being returned from reads, but the underlying data will - not be removed. A delete can be undone using the undelete path. - - Supported methods: - DELETE: /{mount_point}/data/{path}. Produces: 204 (empty body) - - - :param path: Specifies the path of the secret to delete. This is specified as part of the URL. - :type path: str | unicode - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/data/{path}", mount_point=mount_point, path=path - ) - return self._adapter.delete( - url=api_path, - ) - - def delete_secret_versions(self, path, versions, mount_point=DEFAULT_MOUNT_POINT): - """Issue a soft delete of the specified versions of the secret. - - This marks the versions as deleted and will stop them from being returned from reads, - but the underlying data will not be removed. A delete can be undone using the - undelete path. - - Supported methods: - POST: /{mount_point}/delete/{path}. Produces: 204 (empty body) - - - :param path: Specifies the path of the secret to delete. This is specified as part of the URL. - :type path: str | unicode - :param versions: The versions to be deleted. The versioned data will not be deleted, but it will no longer be - returned in normal get requests. - :type versions: int - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if not isinstance(versions, list) or len(versions) == 0: - error_msg = 'argument to "versions" must be a list containing one or more integers, "{versions}" provided.'.format( - versions=versions - ) - raise exceptions.ParamValidationError(error_msg) - params = { - "versions": versions, - } - api_path = utils.format_url( - "/v1/{mount_point}/delete/{path}", mount_point=mount_point, path=path - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def undelete_secret_versions(self, path, versions, mount_point=DEFAULT_MOUNT_POINT): - """Undelete the data for the provided version and path in the key-value store. - - This restores the data, allowing it to be returned on get requests. - - Supported methods: - POST: /{mount_point}/undelete/{path}. Produces: 204 (empty body) - - - :param path: Specifies the path of the secret to undelete. This is specified as part of the URL. - :type path: str | unicode - :param versions: The versions to undelete. The versions will be restored and their data will be returned on - normal get requests. - :type versions: list of int - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if not isinstance(versions, list) or len(versions) == 0: - error_msg = 'argument to "versions" must be a list containing one or more integers, "{versions}" provided.'.format( - versions=versions - ) - raise exceptions.ParamValidationError(error_msg) - params = { - "versions": versions, - } - api_path = utils.format_url( - "/v1/{mount_point}/undelete/{path}", mount_point=mount_point, path=path - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def destroy_secret_versions(self, path, versions, mount_point=DEFAULT_MOUNT_POINT): - """Permanently remove the specified version data and numbers for the provided path from the key-value store. - - Supported methods: - POST: /{mount_point}/destroy/{path}. Produces: 204 (empty body) - - - :param path: Specifies the path of the secret to destroy. - This is specified as part of the URL. - :type path: str | unicode - :param versions: The versions to destroy. Their data will be - permanently deleted. - :type versions: list of int - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if not isinstance(versions, list) or len(versions) == 0: - error_msg = 'argument to "versions" must be a list containing one or more integers, "{versions}" provided.'.format( - versions=versions - ) - raise exceptions.ParamValidationError(error_msg) - params = { - "versions": versions, - } - api_path = utils.format_url( - "/v1/{mount_point}/destroy/{path}", mount_point=mount_point, path=path - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def list_secrets(self, path, mount_point=DEFAULT_MOUNT_POINT): - """Return a list of key names at the specified location. - - Folders are suffixed with /. The input must be a folder; list on a file will not return a value. Note that no - policy-based filtering is performed on keys; do not encode sensitive information in key names. The values - themselves are not accessible via this command. - - Supported methods: - LIST: /{mount_point}/metadata/{path}. Produces: 200 application/json - - - :param path: Specifies the path of the secrets to list. This is specified as part of the URL. - :type path: str | unicode - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/metadata/{path}", mount_point=mount_point, path=path - ) - return self._adapter.list( - url=api_path, - ) - - def read_secret_metadata(self, path, mount_point=DEFAULT_MOUNT_POINT): - """Retrieve the metadata and versions for the secret at the specified path. - - Supported methods: - GET: /{mount_point}/metadata/{path}. Produces: 200 application/json - - - :param path: Specifies the path of the secret to read. This is specified as part of the URL. - :type path: str | unicode - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/metadata/{path}", mount_point=mount_point, path=path - ) - return self._adapter.get( - url=api_path, - ) - - def update_metadata( - self, - path, - max_versions=None, - cas_required=None, - delete_version_after="0s", - mount_point=DEFAULT_MOUNT_POINT, - custom_metadata=None, - ): - """Updates the max_versions of cas_required setting on an existing path. - - Supported methods: - POST: /{mount_point}/metadata/{path}. Produces: 204 (empty body) - - - :param path: Path - :type path: str | unicode - :param max_versions: The number of versions to keep per key. If not set, the backend's configured max version is - used. Once a key has more than the configured allowed versions the oldest version will be permanently - deleted. - :type max_versions: int - :param cas_required: If true the key will require the cas parameter to be set on all write requests. If false, - the backend's configuration will be used. - :type cas_required: bool - :param delete_version_after: Specifies the length of time before a version is deleted. Accepts Go duration format string. - Defaults to "0s" (i.e., disabled). - :type delete_version_after: str - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :param custom_metadata: A dictionary of key/value metadata to describe the secret. Requires Vault 1.9.0 or greater. - :type custom_metadata: dict - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "delete_version_after": delete_version_after, - } - if max_versions is not None: - params["max_versions"] = max_versions - if cas_required is not None: - if not isinstance(cas_required, bool): - error_msg = ( - "bool expected for cas_required param, {type} received".format( - type=type(cas_required) - ) - ) - raise exceptions.ParamValidationError(error_msg) - params["cas_required"] = cas_required - if custom_metadata is not None: - if not isinstance(custom_metadata, dict): - error_msg = ( - "dict expected for custom_metadata param, {type} received".format( - type=type(custom_metadata) - ) - ) - raise exceptions.ParamValidationError(error_msg) - params["custom_metadata"] = custom_metadata - api_path = utils.format_url( - "/v1/{mount_point}/metadata/{path}", mount_point=mount_point, path=path - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def delete_metadata_and_all_versions(self, path, mount_point=DEFAULT_MOUNT_POINT): - """Delete (permanently) the key metadata and all version data for the specified key. - - All version history will be removed. - - Supported methods: - DELETE: /{mount_point}/metadata/{path}. Produces: 204 (empty body) - - - :param path: Specifies the path of the secret to delete. This is specified as part of the URL. - :type path: str | unicode - :param mount_point: The "path" the secret engine was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/metadata/{path}", mount_point=mount_point, path=path - ) - return self._adapter.delete( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/ldap.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/ldap.py deleted file mode 100644 index 1d8c133..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/ldap.py +++ /dev/null @@ -1,236 +0,0 @@ -#!/usr/bin/env python -"""LDAP methods module.""" - -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "ldap" - - -class Ldap(VaultApiBase): - """LDAP Secrets Engine (API). - Reference: https://www.vaultproject.io/api/secret/ldap/index.html - """ - - def configure( - self, - binddn=None, - bindpass=None, - url=None, - password_policy=None, - schema=None, - userdn=None, - userattr=None, - upndomain=None, - connection_timeout=None, - request_timeout=None, - starttls=None, - insecure_tls=None, - certificate=None, - client_tls_cert=None, - client_tls_key=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Configure shared information for the ldap secrets engine. - - Supported methods: - POST: /{mount_point}/config. Produces: 204 (empty body) - - :param binddn: Distinguished name of object to bind when performing user and group search. - :type binddn: str | unicode - :param bindpass: Password to use along with binddn when performing user search. - :type bindpass: str | unicode - :param url: Base DN under which to perform user search. - :type url: str | unicode - :param userdn: Base DN under which to perform user search. - :type userdn: str | unicode - :param upndomain: userPrincipalDomain used to construct the UPN string for the authenticating user. - :type upndomain: str | unicode - :param password_policy: The name of the password policy to use to generate passwords. - :type password_policy: str | unicode - :param schema: The LDAP schema to use when storing entry passwords. Valid schemas include ``openldap``, ``ad``, and ``racf``. - :type schema: str | unicode - :param connection_timeout: Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration. - :type connection_timeout: int | str - :param request_timeout: Timeout, in seconds, for the connection when making requests against the server before returning back an error. - :type request_timeout: int | str - :param starttls: If true, issues a StartTLS command after establishing an unencrypted connection. - :type starttls: bool - :param insecure_tls: If true, skips LDAP server SSL certificate verification - insecure, use with caution! - :type insecure_tls: bool - :param certificate: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. - :type certificate: str | unicode - :param client_tls_cert: Client certificate to provide to the LDAP server, must be x509 PEM encoded. - :type client_tls_cert: str | unicode - :param client_tls_key: Client key to provide to the LDAP server, must be x509 PEM encoded. - :type client_tls_key: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "binddn": binddn, - "bindpass": bindpass, - "url": url, - "userdn": userdn, - "userattr": userattr, - "upndomain": upndomain, - "password_policy": password_policy, - "schema": schema, - "connection_timeout": connection_timeout, - "request_timeout": request_timeout, - "starttls": starttls, - "insecure_tls": insecure_tls, - "certificate": certificate, - "client_tls_cert": client_tls_cert, - "client_tls_key": client_tls_key, - } - ) - - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_config(self, mount_point=DEFAULT_MOUNT_POINT): - """Read the configured shared information for the ldap secrets engine. - - Credentials will be omitted from returned data. - - Supported methods: - GET: /{mount_point}/config. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point) - return self._adapter.get( - url=api_path, - ) - - def rotate_root(self, mount_point=DEFAULT_MOUNT_POINT): - """Rotate the root password for the binddn entry used to manage the ldap secrets engine. - - Supported methods: - POST: /{mount_point}/rotate root. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/rotate-root", mount_point=mount_point - ) - return self._adapter.post(url=api_path) - - def create_or_update_static_role( - self, - name, - username=None, - dn=None, - rotation_period=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint creates or updates the ldap static role definition. - - :param name: Specifies the name of an existing static role against which to create this ldap credential. - :type name: str | unicode - :param username: The name of a pre-existing service account in LDAP that maps to this static role. - This value is required on create and cannot be updated. - :type username: str | unicode - :param dn: Distinguished name of the existing LDAP entry to manage password rotation for (takes precedence over username). - Optional but cannot be modified after creation. - :type dn: str | unicode - :param rotation_period: How often Vault should rotate the password. - This is provided as a string duration with a time suffix like "30s" or "1h" or as seconds. - If not provided, the default Vault rotation_period is used. - :type rotation_period: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/static-role/{}", mount_point, name) - params = {"username": username, "rotation_period": rotation_period} - params.update(utils.remove_nones({"dn": dn})) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_static_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint queries for information about an ldap static role with the given name. - If no role exists with that name, a 404 is returned. - :param name: Specifies the name of the static role to query. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/static-role/{}", mount_point, name) - return self._adapter.get( - url=api_path, - ) - - def list_static_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint lists all existing static roles in the secrets engine. - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/static-role", mount_point) - return self._adapter.list( - url=api_path, - ) - - def delete_static_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint deletes an ldap static role with the given name. - Even if the role does not exist, this endpoint will still return a successful response. - :param name: Specifies the name of the role to delete. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/static-role/{}", mount_point, name) - return self._adapter.delete( - url=api_path, - ) - - def generate_static_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint retrieves the previous and current LDAP password for - the associated account (or rotate if required) - - :param name: Specifies the name of the static role to request credentials from. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/static-cred/{}", mount_point, name) - return self._adapter.get( - url=api_path, - ) - - def rotate_static_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint rotates the password of an existing static role. - - :param name: Specifies the name of the static role to rotate credentials for. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/rotate-role/{}", mount_point, name) - return self._adapter.post( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/pki.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/pki.py deleted file mode 100644 index dd3571e..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/pki.py +++ /dev/null @@ -1,878 +0,0 @@ -#!/usr/bin/env python -"""PKI methods module.""" -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "pki" - - -class Pki(VaultApiBase): - """Pki Secrets Engine (API). - - Reference: https://www.vaultproject.io/api/secret/pki/index.html - """ - - def read_ca_certificate(self, mount_point=DEFAULT_MOUNT_POINT): - """Read CA Certificate. - - Retrieves the CA certificate in raw DER-encoded form. - - Supported methods: - GET: /{mount_point}/ca/pem. Produces: String - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The certificate as pem. - :rtype: str - """ - api_path = utils.format_url("/v1/{mount_point}/ca/pem", mount_point=mount_point) - response = self._adapter.get( - url=api_path, - ) - return str(response.text) - - def read_ca_certificate_chain(self, mount_point=DEFAULT_MOUNT_POINT): - """Read CA Certificate Chain. - - Retrieves the CA certificate chain, including the CA in PEM format. - - Supported methods: - GET: /{mount_point}/ca_chain. Produces: String - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The certificate chain as pem. - :rtype: str - """ - api_path = utils.format_url( - "/v1/{mount_point}/ca_chain", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - return str(response.text) - - def read_certificate(self, serial, mount_point=DEFAULT_MOUNT_POINT): - """Read Certificate. - - Retrieves one of a selection of certificates. - - Supported methods: - GET: /{mount_point}/cert/{serial}. Produces: 200 application/json - - :param serial: the serial of the key to read. - :type serial: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/cert/{serial}", - mount_point=mount_point, - serial=serial, - ) - return self._adapter.get( - url=api_path, - ) - - def list_certificates(self, mount_point=DEFAULT_MOUNT_POINT): - """List Certificates. - - The list of the current certificates by serial number only. - - Supported methods: - LIST: /{mount_point}/certs. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/{mount_point}/certs", mount_point=mount_point) - return self._adapter.list( - url=api_path, - ) - - def submit_ca_information(self, pem_bundle, mount_point=DEFAULT_MOUNT_POINT): - """Submit CA Information. - - Submitting the CA information for the backend. - - Supported methods: - POST: /{mount_point}/config/ca. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - params = { - "pem_bundle": pem_bundle, - } - api_path = utils.format_url( - "/v1/{mount_point}/config/ca", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_crl_configuration(self, mount_point=DEFAULT_MOUNT_POINT): - """Read CRL Configuration. - - Getting the duration for which the generated CRL should be marked valid. - - Supported methods: - GET: /{mount_point}/config/crl. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/crl", mount_point=mount_point - ) - return self._adapter.get( - url=api_path, - ) - - def set_crl_configuration( - self, - expiry=None, - disable=None, - extra_params=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Set CRL Configuration. - - Setting the duration for which the generated CRL should be marked valid. - If the CRL is disabled, it will return a signed but zero-length CRL for any - request. If enabled, it will re-build the CRL. - - Supported methods: - POST: /{mount_point}/config/crl. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - if extra_params is None: - extra_params = {} - api_path = utils.format_url( - "/v1/{mount_point}/config/crl", mount_point=mount_point - ) - params = extra_params - params.update( - utils.remove_nones( - { - "expiry": expiry, - "disable": disable, - } - ) - ) - - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_urls(self, mount_point=DEFAULT_MOUNT_POINT): - """Read URLs. - - Fetches the URLs to be encoded in generated certificates. - - Supported methods: - GET: /{mount_point}/config/urls. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/urls", mount_point=mount_point - ) - return self._adapter.get( - url=api_path, - ) - - def set_urls(self, params, mount_point=DEFAULT_MOUNT_POINT): - """Set URLs. - - Setting the issuing certificate endpoints, CRL distribution points, and OCSP server endpoints that will be - encoded into issued certificates. You can update any of the values at any time without affecting the other - existing values. To remove the values, simply use a blank string as the parameter. - - Supported methods: - POST: /{mount_point}/config/urls. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/urls", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_crl(self, mount_point=DEFAULT_MOUNT_POINT): - """Read CRL. - - Retrieves the current CRL in PEM format. - This endpoint is an unauthenticated. - - Supported methods: - GET: /{mount_point}/crl/pem. Produces: 200 application/pkix-crl - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The content of the request e.g. CRL string representation. - :rtype: str - """ - api_path = utils.format_url( - "/v1/{mount_point}/crl/pem", mount_point=mount_point - ) - response = self._adapter.get( - url=api_path, - ) - # python2.7 uses unicode - return str(response.text) - - def rotate_crl(self, mount_point=DEFAULT_MOUNT_POINT): - """Rotate CRLs. - - Forces a rotation of the CRL. - - Supported methods: - GET: /{mount_point}/crl/rotate. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/crl/rotate", mount_point=mount_point - ) - return self._adapter.get( - url=api_path, - ) - - def generate_intermediate( - self, - type, - common_name, - extra_params=None, - mount_point=DEFAULT_MOUNT_POINT, - wrap_ttl=None, - ): - """Generate Intermediate. - - Generates a new private key and a CSR for signing. - - Supported methods: - POST: /{mount_point}/intermediate/generate/{type}. Produces: 200 application/json - - :param type: Specifies the type to create. `exported` (private key also exported) or `internal`. - :type type: str | unicode - :param common_name: Specifies the requested CN for the certificate. - :type common_name: str | unicode - :param extra_params: Dictionary with extra parameters. - :type extra_params: dict - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param wrap_ttl: Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'. - :type wrap_ttl: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - if extra_params is None: - extra_params = {} - api_path = utils.format_url( - "/v1/{mount_point}/intermediate/generate/{type}", - mount_point=mount_point, - type=type, - ) - - params = extra_params - params["common_name"] = common_name - - return self._adapter.post( - url=api_path, - json=params, - wrap_ttl=wrap_ttl, - ) - - def set_signed_intermediate(self, certificate, mount_point=DEFAULT_MOUNT_POINT): - """Set Signed Intermediate. - - Allows submitting the signed CA certificate corresponding to a private key generated via "Generate Intermediate" - - Supported methods: - POST: /{mount_point}/intermediate/set-signed. Produces: 200 application/json - - :param certificate: Specifies the certificate in PEM format. - :type certificate: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/intermediate/set-signed", - mount_point=mount_point, - ) - - params = {} - params["certificate"] = certificate - - return self._adapter.post( - url=api_path, - json=params, - ) - - def generate_certificate( - self, - name, - common_name, - extra_params=None, - mount_point=DEFAULT_MOUNT_POINT, - wrap_ttl=None, - ): - """Generate Certificate. - - Generates a new set of credentials (private key and certificate) based on the role named in the endpoint. - - Supported methods: - POST: /{mount_point}/issue/{name}. Produces: 200 application/json - - :param name: The name of the role to create the certificate against. - :name name: str | unicode - :param common_name: The requested CN for the certificate. - :name common_name: str | unicode - :param extra_params: A dictionary with extra parameters. - :name extra_params: dict - :param mount_point: The "path" the method/backend was mounted on. - :name mount_point: str | unicode - :param wrap_ttl: Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'. - :type wrap_ttl: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - if extra_params is None: - extra_params = {} - api_path = utils.format_url( - "/v1/{mount_point}/issue/{name}", - mount_point=mount_point, - name=name, - ) - - params = extra_params - params["common_name"] = common_name - - return self._adapter.post( - url=api_path, - json=params, - wrap_ttl=wrap_ttl, - ) - - def revoke_certificate(self, serial_number, mount_point=DEFAULT_MOUNT_POINT): - """Revoke Certificate. - - Revokes a certificate using its serial number. - - Supported methods: - POST: /{mount_point}/revoke. Produces: 200 application/json - - :param serial_number: The serial number of the certificate to revoke. - :name serial_number: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :name mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{mount_point}/revoke", mount_point=mount_point) - - params = {} - params["serial_number"] = serial_number - - return self._adapter.post( - url=api_path, - json=params, - ) - - def create_or_update_role( - self, name, extra_params=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Create/Update Role. - - Creates or updates the role definition. - - Supported methods: - POST: /{mount_point}/roles/{name}. Produces: 200 application/json - - :param name: The name of the role to create. - :name name: str | unicode - :param extra_params: A dictionary with extra parameters. - :name extra_params: dict - :param mount_point: The "path" the method/backend was mounted on. - :name mount_point: str | unicode - :return: The JSON response of the request. - :rname: requests.Response - """ - if extra_params is None: - extra_params = {} - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", - mount_point=mount_point, - name=name, - ) - - params = extra_params - params["name"] = name - - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Read Role. - - Queries the role definition. - - Supported methods: - GET: /{mount_point}/roles/{name}. Produces: 200 application/json - - :param name: The name of the role to read. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """List Roles. - - Get a list of available roles. - - Supported methods: - LIST: /{mount_point}/roles. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/{mount_point}/roles", mount_point=mount_point) - return self._adapter.list( - url=api_path, - ) - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete Role. - - Deletes the role definition. - - Supported methods: - DELETE: /{mount_point}/roles/{name}. Produces: 200 application/json - - :param name: The name of the role to delete. - :name name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :name mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", - mount_point=mount_point, - name=name, - ) - - return self._adapter.delete( - url=api_path, - ) - - def generate_root( - self, - type, - common_name, - extra_params=None, - mount_point=DEFAULT_MOUNT_POINT, - wrap_ttl=None, - ): - """Generate Root. - - Generates a new self-signed CA certificate and private key. - - Supported methods: - POST: /{mount_point}/root/generate/{type}. Produces: 200 application/json - - :param type: Specifies the type to create. `exported` (private key also exported) or `internal`. - :type type: str | unicode - :param common_name: The requested CN for the certificate. - :type common_name: str | unicode - :param extra_params: A dictionary with extra parameters. - :type extra_params: dict - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param wrap_ttl: Specifies response wrapping token creation with duration. IE: '15s', '20m', '25h'. - :type wrap_ttl: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - if extra_params is None: - extra_params = {} - api_path = utils.format_url( - "/v1/{mount_point}/root/generate/{type}", - mount_point=mount_point, - type=type, - ) - - params = extra_params - params["common_name"] = common_name - - return self._adapter.post( - url=api_path, - json=params, - wrap_ttl=wrap_ttl, - ) - - def delete_root(self, mount_point=DEFAULT_MOUNT_POINT): - """Delete Root. - - Deletes the current CA key. - - Supported methods: - DELETE: /{mount_point}/root. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/root", - mount_point=mount_point, - ) - - return self._adapter.delete( - url=api_path, - ) - - def sign_intermediate( - self, csr, common_name, extra_params=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Sign Intermediate. - - Issue a certificate with appropriate values for acting as an intermediate CA. - - Supported methods: - POST: /{mount_point}/root/sign-intermediate. Produces: 200 application/json - - :param csr: The PEM-encoded CSR. - :type csr: str | unicode - :param common_name: The requested CN for the certificate. - :type common_name: str | unicode - :param extra_params: Dictionary with extra parameters. - :type extra_params: dict - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - if extra_params is None: - extra_params = {} - api_path = utils.format_url( - "/v1/{mount_point}/root/sign-intermediate", mount_point=mount_point - ) - - params = extra_params - params["csr"] = csr - params["common_name"] = common_name - - return self._adapter.post( - url=api_path, - json=params, - ) - - def sign_self_issued(self, certificate, mount_point=DEFAULT_MOUNT_POINT): - """Sign Self-Issued. - - Sign a self-issued certificate. - - Supported methods: - POST: /{mount_point}/root/sign-self-issued. Produces: 200 application/json - - :param certificate: The PEM-encoded self-issued certificate. - :type certificate: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/root/sign-self-issued", mount_point=mount_point - ) - - params = {} - params["certificate"] = certificate - - return self._adapter.post( - url=api_path, - json=params, - ) - - def sign_certificate( - self, name, csr, common_name, extra_params=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Sign Certificate. - - Signs a new certificate based upon the provided CSR and the supplied parameters. - - Supported methods: - POST: /{mount_point}/sign/{name}. Produces: 200 application/json - - :param name: The role to sign the certificate. - :type name: str | unicode - :param csr: The PEM-encoded CSR. - :type csr: str | unicode - :param common_name: The requested CN for the certificate. If the CN is allowed by role policy, it will be issued. - :type common_name: str | unicode - :param extra_params: A dictionary with extra parameters. - :type extra_params: dict - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - if extra_params is None: - extra_params = {} - api_path = utils.format_url( - "/v1/{mount_point}/sign/{name}", - mount_point=mount_point, - name=name, - ) - - params = extra_params - params["csr"] = csr - params["common_name"] = common_name - - return self._adapter.post( - url=api_path, - json=params, - ) - - def sign_verbatim( - self, csr, name=False, extra_params=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Sign Verbatim. - - Signs a new certificate based upon the provided CSR. - - Supported methods: - POST: /{mount_point}/sign-verbatim. Produces: 200 application/json - - :param csr: The PEM-encoded CSR. - :type csr: str | unicode - :param name: Specifies a role. - :type name: str | unicode - :param extra_params: A dictionary with extra parameters. - :type extra_params: dict - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - if extra_params is None: - extra_params = {} - url_to_transform = "/v1/{mount_point}/sign-verbatim" - if name: - url_to_transform = url_to_transform + "/{name}" - - api_path = utils.format_url( - url_to_transform, - mount_point=mount_point, - name=name, - ) - - params = extra_params - params["csr"] = csr - - return self._adapter.post( - url=api_path, - json=params, - ) - - def tidy(self, extra_params=None, mount_point=DEFAULT_MOUNT_POINT): - """Tidy. - - Allows tidying up the storage backend and/or CRL by removing certificates that have - expired and are past a certain buffer period beyond their expiration time. - - Supported methods: - POST: /{mount_point}/tidy. Produces: 200 application/json - - :param extra_params: A dictionary with extra parameters. - :type extra_params: dict - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - if extra_params is None: - extra_params = {} - api_path = utils.format_url( - "/v1/{mount_point}/tidy", - mount_point=mount_point, - ) - - params = extra_params - - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_issuer(self, issuer_ref, mount_point=DEFAULT_MOUNT_POINT): - """Read issuer. - - Get configuration of a issuer by its reference ID. - - Supported methods: - GET: /{mount_point}/issuer/{issuer_ref}. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param issuer_ref: The reference ID of the issuer to get - :type issuer_ref: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/issuer/{issuer_ref}", - mount_point=mount_point, - issuer_ref=issuer_ref, - ) - - return self._adapter.get( - url=api_path, - ) - - def list_issuers(self, mount_point=DEFAULT_MOUNT_POINT): - """List issuers. - - Get list of all issuers for a given pki mount. - - Supported methods: - LIST: /{mount_point}/issuers. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/issuers", - mount_point=mount_point, - ) - - return self._adapter.list( - url=api_path, - ) - - def update_issuer( - self, issuer_ref, extra_params=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Update issuer. - - Update a given issuer. - - Supported methods: - POST: /{mount_point}/issuer/{issuer_ref}. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param issuer_ref: The reference ID of the issuer to update - :type issuer_ref: str | unicode - :param extra_params: Dictionary with extra parameters. - :type extra_params: dict - :return: The JSON response of the request. - :rtype: requests.Response - """ - params = extra_params - - api_path = utils.format_url( - "/v1/{mount_point}/issuer/{issuer_ref}", - mount_point=mount_point, - issuer_ref=issuer_ref, - ) - - return self._adapter.post(url=api_path, json=params) - - def revoke_issuer(self, issuer_ref, mount_point=DEFAULT_MOUNT_POINT): - """Revoke issuer. - - Revokes a given issuer. - - Supported methods: - POST: /{mount_point}/issuer/{issuer_ref}/revoke. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param issuer_ref: The reference ID of the issuer to revoke - :type issuer_ref: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/issuer/{issuer_ref}/revoke", - mount_point=mount_point, - issuer_ref=issuer_ref, - ) - - return self._adapter.post( - url=api_path, - ) - - def delete_issuer(self, issuer_ref, mount_point=DEFAULT_MOUNT_POINT): - """Delete issuer. - - Delete a given issuer. Deleting the default issuer will result in a warning - - Supported methods: - DELETE: /{mount_point}/issuer/{issuer_ref}. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param issuer_ref: The reference ID of the issuer to delete - :type issuer_ref: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/issuer/{issuer_ref}", - mount_point=mount_point, - issuer_ref=issuer_ref, - ) - - return self._adapter.delete( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/rabbitmq.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/rabbitmq.py deleted file mode 100644 index 1d8ac6c..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/rabbitmq.py +++ /dev/null @@ -1,147 +0,0 @@ -#!/usr/bin/env python -"""RabbitMQ vault secrets backend module.""" - -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "rabbitmq" - - -class RabbitMQ(VaultApiBase): - """RabbitMQ Secrets Engine (API). - Reference: https://www.vaultproject.io/api/secret/rabbitmq/index.html - """ - - def configure( - self, - connection_uri="", - username="", - password="", - verify_connection=True, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Configure shared information for the rabbitmq secrets engine. - - Supported methods: - POST: /{mount_point}/config/connection. Produces: 204 (empty body) - - :param connection_uri: Specifies the RabbitMQ connection URI. - :type connection_uri: str | unicode - :param username: Specifies the RabbitMQ management administrator username. - :type username: str | unicode - :password: Specifies the RabbitMQ management administrator password. - :type password: str | unicode - :verify_connection: Specifies whether to verify connection URI, username, and password. - :type verify_connection: bool - :param mount_point: Specifies the place where the secrets engine will be accessible (default: rabbitmq). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "connection_uri": connection_uri, - "verify_connection": verify_connection, - "username": username, - "password": password, - } - - api_path = utils.format_url( - "/v1/{mount_point}/config/connection", mount_point=mount_point - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def configure_lease(self, ttl, max_ttl, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint configures the lease settings for generated credentials. - - :param ttl: Specifies the lease ttl provided in seconds. - :type ttl: int - :param max_ttl: Specifies the maximum ttl provided in seconds. - :type max_ttl: int - :param mount_point: Specifies the place where the secrets engine will be accessible (default: rabbitmq). - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/config/lease", mount_point) - params = { - "ttl": ttl, - "max_ttl": max_ttl, - } - return self._adapter.post( - url=api_path, - json=params, - ) - - def create_role( - self, name, tags="", vhosts="", vhost_topics="", mount_point=DEFAULT_MOUNT_POINT - ): - """This endpoint creates or updates the role definition. - - :param name: Specifies the name of the role to create. - :type name: str | unicode - :param tags: Specifies a comma-separated RabbitMQ management tags. - :type tags: str | unicode - :param vhosts: pecifies a map of virtual hosts to permissions. - :type vhosts: str | unicode - :param vhost_topics: Specifies a map of virtual hosts and exchanges to topic permissions. - :type vhost_topics: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: rabbitmq). - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name) - params = {"tags": tags, "vhosts": vhosts, "vhost_topics": vhost_topics} - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint queries the role definition. - - :param name: Specifies the name of the role to read. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: rabbitmq). - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name) - return self._adapter.get( - url=api_path, - ) - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint deletes the role definition. - Even if the role does not exist, this endpoint will still return a successful response. - - :param name: Specifies the name of the role to delete. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: rabbitmq). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name) - return self._adapter.delete( - url=api_path, - ) - - def generate_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint generates a new set of dynamic credentials based on the named role. - - :param name: Specifies the name of the role to create credentials against. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: rabbitmq). - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{}/creds/{}", mount_point, name) - return self._adapter.get( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/ssh.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/ssh.py deleted file mode 100644 index 8fa4bf4..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/ssh.py +++ /dev/null @@ -1,557 +0,0 @@ -#!/usr/bin/env python -"""SSH vault secrets backend module.""" - -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "ssh" - -# TODO Fix return types for GET and LIST API calls - - -class Ssh(VaultApiBase): - """SSH Secrets Engine (API). - Reference: https://www.vaultproject.io/api-docs/secret/ssh - """ - - # TODO: deprecate all dynamic SSH keys methods from hvac - def create_or_update_key( - self, - name="", - key="", - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint updates a named key. This method uses deprecated functionality that was removed in Vault 1.13.0. - - :param name: Specifies the name of the key to create. - :type name: str | unicode - :param key: Specifies an SSH private key with appropriate privileges on remote hosts. - :type key: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - params = { - "key": key, - } - - api_path = utils.format_url( - "/v1/{mount_point}/keys/{name}", - mount_point=mount_point, - name=name, - ) - - return self._adapter.post( - url=api_path, - json=params, - ) - - # TODO: deprecate all dynamic SSH keys methods from hvac - def delete_key( - self, - name="", - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint deletes a named key. This method uses deprecated functionality that was removed in Vault 1.13.0. - - :param name: Specifies the name of the key to delete. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/keys/{name}", - mount_point=mount_point, - name=name, - ) - - return self._adapter.delete(url=api_path) - - def create_role( - self, - name="", - key="", - admin_user="", - default_user="", - cidr_list="", - exclude_cidr_list="", - port=22, - key_type="", - key_bits=1024, - install_script="", - allowed_users="", - allowed_users_template="", - allowed_domains="", - key_option_specs="", - ttl="", - max_ttl="", - allowed_critical_options="", - allowed_extensions="", - default_critical_options=None, - default_extensions=None, - allow_user_certificates="", - allow_host_certificates=False, - allow_bare_domains=False, - allow_subdomains=False, - allow_user_key_ids=False, - key_id_format="", - allowed_user_key_lengths=None, - algorithm_signer="", - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint creates or updates a named role. - - :param name: Specifies the name of the role to create. - :type name: str | unicode - :param key: Specifies the name of the registered key in Vault. - :type key: str | unicode - :param admin_user: Specifies the admin user at remote host. - :type admin_user: str | unicode - :param default_user: Specifies the default username for which a credential will be generated. - :type default_user: str | unicode - :param cidr_list: Specifies a comma separated list of CIDR blocks for which the role is applicable for. - :type cidr_list: str | unicode - :param exclude_cidr_list: Specifies a comma-separated list of CIDR blocks. - :type exclude_cidr_list: str | unicode - :param port: Specifies the port number for SSH connection. - :type port: int - :param key_type: Specifies the type of credentials generated by this role. - :type key_type: str | unicode - :param key_bits: Specifies the length of the RSA dynamic key in bits. (default: 1024) - :type key_bits: int - :param install_script: Specifies the script used to install and uninstall public keys in the target machine. - :type install_script: str | unicode - :param allowed_users: If only certain usernames are to be allowed, then this list enforces it. - :type allowed_users: str | unicode - :param allowed_users_template: If set, allowed_users can be specified using identity template policies. - (default: false) - :type allowed_users_template: bool - :param allowed_domains: The list of domains for which a client can request a host certificate. - :type allowed_domains: str | unicode - :param key_option_specs: Specifies a comma separated option specification which will be prefixed to RSA keys in - the remote host's authorized_keys file. - :type key_option_specs: str | unicode - :param ttl: Specifies the Time To Live value provided as a string duration with time suffix. - :type ttl: string | unicode - :param max_ttl: Specifies the Time To Live value provided as a string duration with time suffix. - :type max_ttl: str | unicode - :param allowed_critical_options: Specifies a comma-separated list of critical options that certificates can have - when signed. - :type allowed_critical_options: str | unicode - :param allowed_extensions: Specifies a comma-separated list of extensions that certificates can have when - signed. - :type allowed_extensions: str | unicode - :param default_critical_options: Specifies a map of critical options certificates should have if none are - provided when signing. - :type default_critical_options: dict - :param default_extensions: Specifies a map of extensions certificates should have if none are provided when - signing. - :type default_extensions: dict - :param allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'. - (default: False) - :type allow_user_certificates: bool - :param allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'. - (default: False) - :type allow_host_certificates: bool - :param allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains - listed in allowed_domains, e.g. "example.com". (default: False) - :type allow_bare_domains: bool - :param allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those - listed in allowed_domains. (default: False) - :type allow_subdomains: bool - :param allow_user_key_ids: Specifies if users can override the key ID for a signed certificate with the "key_id" - field. (default: False) - :type allow_user_key_ids: bool - :param key_id_format: When supplied, this value specifies a custom format for the key id of a signed - certificate. - :type key_id_format: str | unicode - :param allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which are allowed to - be signed by the CA type. - :type allowed_user_key_lengths: dict - :param algorithm_signer: Algorithm to sign keys with. (default: "default") - :type algorithm_signer: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - params = { - "key": key, - "admin_user": admin_user, - "default_user": default_user, - "cidr_list": cidr_list, - "exclude_cidr_list": exclude_cidr_list, - "port": port, - "key_type": key_type, - "key_bits": key_bits, - "install_script": install_script, - "allowed_users": allowed_users, - "allowed_users_template": allowed_users_template, - "allowed_domains": allowed_domains, - "key_option_specs": key_option_specs, - "ttl": ttl, - "max_ttl": max_ttl, - "allowed_critical_options": allowed_critical_options, - "allowed_extensions": allowed_extensions, - "default_critical_options": default_critical_options, - "default_extensions": default_extensions, - "allow_user_certificates": allow_user_certificates, - "allow_host_certificates": allow_host_certificates, - "allow_bare_domains": allow_bare_domains, - "allow_subdomains": allow_subdomains, - "allow_user_key_ids": allow_user_key_ids, - "key_id_format": key_id_format, - "allowed_user_key_lengths": allowed_user_key_lengths, - "algorithm_signer": algorithm_signer, - } - - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", mount_point=mount_point, name=name - ) - - return self._adapter.post(url=api_path, json=params) - - def read_role( - self, - name="", - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint queries a named role. - - :param name: Specifies the name of the role to read. - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", - mount_point=mount_point, - name=name, - ) - - return self._adapter.get(url=api_path) - - def list_roles( - self, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint returns a list of available roles. Only the role names are returned, not any values. - - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/{mount_point}/roles", mount_point=mount_point) - - return self._adapter.list(url=api_path) - - def delete_role(self, name="", mount_point=DEFAULT_MOUNT_POINT): - """This endpoint deletes a named role. - - :param name: - :type name: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/roles/{name}", - mount_point=mount_point, - name=name, - ) - - return self._adapter.delete(url=api_path) - - def list_zeroaddress_roles( - self, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint returns the list of configured zero-address roles. - - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/zeroaddress", - mount_point=mount_point, - ) - - return self._adapter.get(url=api_path) - - def configure_zeroaddress_roles( - self, - roles="", - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint configures zero-address roles. - - :param roles: Specifies a string containing comma separated list of role names which allows credentials to be requested for any IP address. - :type roles: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - params = { - "roles": roles, - } - - api_path = utils.format_url( - "/v1/{mount_point}/config/zeroaddress", - mount_point=mount_point, - ) - - return self._adapter.post( - url=api_path, - json=params, - ) - - def delete_zeroaddress_role(self, mount_point=DEFAULT_MOUNT_POINT): - """This endpoint deletes the zero-address roles configuration. - - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/zeroaddress", mount_point=mount_point - ) - - return self._adapter.delete( - url=api_path, - ) - - def generate_ssh_credentials( - self, - name="", - username="", - ip="", - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint creates credentials for a specific username and IP with the parameters defined in the given role. - - :param name: Specifies the name of the role to create credentials against. This is part of the request URL. - :type name: str | unicode - :param username: Specifies the username on the remote host. - :type username: str | unicode - :param ip: Specifies the IP of the remote host. - :type ip: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - params = { - "username": username, - "ip": ip, - } - - api_path = utils.format_url( - "/v1/{mount_point}/creds/{name}", - mount_point=mount_point, - name=name, - ) - - return self._adapter.post(url=api_path, json=params) - - def list_roles_by_ip( - self, - ip="", - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint lists all of the roles with which the given IP is associated. - - :param ip: Specifies the IP of the remote host. - :type ip: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - params = { - "ip": ip, - } - - api_path = utils.format_url( - "/v1/{mount_point}/lookup", - mount_point=mount_point, - ) - - return self._adapter.post( - url=api_path, - json=params, - ) - - def verify_ssh_otp( - self, - otp, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint verifies if the given OTP is valid. This is an unauthenticated endpoint. - - :param otp: Specifies the One-Time-Key that needs to be validated. - :type otp: str | unicode - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - params = { - "otp": otp, - } - - api_path = utils.format_url( - "v1/{mount_point}/verify", - mount_point=mount_point, - ) - - return self._adapter.post( - url=api_path, - json=params, - ) - - def submit_ca_information( - self, - private_key="", - public_key="", - generate_signing_key=True, - key_type="ssh-rsa", - key_bits=0, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint allows submitting the CA information for the secrets engine via an SSH key pair. - - :param private_key: Specifies the private key part the SSH CA key pair. - :type private_key: str | unicode - :param public_key: Specifies the public key part of the SSH CA key pair. - :type public_key: str | unicode - :param generate_signing_key: Specifies if Vault should generate the signing key pair internally. (default: True) - :type generate_signing_key: bool - :param key_type: Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. (default: ssh-rsa) - :type key_type: str | unicode - :param key_bits: Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. (default: 0) - :type key_bits: int - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - params = { - "private_key": private_key, - "public_key": public_key, - "generate_signing_key": generate_signing_key, - "key_type": key_type, - "key_bits": key_bits, - } - - api_path = utils.format_url( - "/v1/{mount_point}/config/ca", - mount_point=mount_point, - ) - - return self._adapter.post( - url=api_path, - json=params, - ) - - def delete_ca_information( - self, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint deletes the CA information for the backend via an SSH key pair. - - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/config/ca", - mount_point=mount_point, - ) - - return self._adapter.delete(url=api_path) - - def read_public_key( - self, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint reads the configured/generated public key. - - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - # TODO Consider if the unauthenticated endpoint could be used if not authenticated - api_path = utils.format_url( - "/v1/{mount_point}/config/ca", - mount_point=mount_point, - ) - - return self._adapter.get(url=api_path) - - def sign_ssh_key( - self, - name="", - public_key="", - ttl="", - valid_principals="", - cert_type="user", - key_id="", - critical_options=None, - extensions=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """This endpoint signs an SSH public key based on the supplied parameters, - subject to the restrictions contained in the role named in the endpoint. - - :param name: Specifies the name of the role to sign. This is part of the request URL. - :type name: str | unicode - :param public_key: Specifies the SSH public key that should be signed. - :type public_key: str | unicode - :param ttl: Specifies the Requested Time To Live. - :type ttl: str | unicode - :param valid_principals: Specifies valid principals that the certificate should be signed for. - :type valid_principals: str | unicode - :param cert_type: Specifies the type of certificate to be created; either "user" or "host". (default: user) - :type cert_type: str | unicode - :param key_id: Specifies the key id that the created certificate should have. - :type key_id: str | unicode - :param critical_options: Specifies a map of the critical options that the certificate should be signed for. - :type critical_options: dict - :param extensions: Specifies a map of the extensions that the certificate should be signed for. - :type extensions: dict - :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). - :type mount_point: str | unicode - :return: The JSON response of the request - :rtype: requests.Response - """ - params = { - "public_key": public_key, - "ttl": ttl, - "valid_principals": valid_principals, - "cert_type": cert_type, - "key_id": key_id, - "critical_options": critical_options, - "extensions": extensions, - } - - api_path = utils.format_url( - "/v1/{mount_point}/sign/{name}", mount_point=mount_point, name=name - ) - - return self._adapter.post( - url=api_path, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/transform.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/transform.py deleted file mode 100644 index 8a4b4ea..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/transform.py +++ /dev/null @@ -1,1174 +0,0 @@ -#!/usr/bin/env python -"""Transform secrets engine methods module.""" -from hvac import utils -from hvac.api.vault_api_base import VaultApiBase - -DEFAULT_MOUNT_POINT = "transform" - - -class Transform(VaultApiBase): - """Transform Secrets Engine (API). - - Reference: https://www.vaultproject.io/api-docs/secret/transform - """ - - def create_or_update_role( - self, name, transformations, mount_point=DEFAULT_MOUNT_POINT - ): - """Creates or update the role with the given name. - - If a role with the name does not exist, it will be created. If the role exists, it will be - updated with the new attributes. - - Supported methods: - POST: /{mount_point}/role/:name. - - :param name: the name of the role to create. This is part of the request URL. - :type name: str | unicode - :param transformations: Specifies the transformations that can be used with this role. - At least one transformation is required. - :type transformations: list - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the create_or_update_role request. - :rtype: requests.Response - """ - params = { - "transformations": transformations, - } - api_path = "/v1/{mount_point}/role/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Query an existing role by the given name. - - Supported methods: - GET: /{mount_point}/role/:name. - - :param name: the name of the role to read. This is part of the request URL. - :type name: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the read_role request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/role/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_roles(self, mount_point=DEFAULT_MOUNT_POINT): - """List all existing roles in the secrets engine. - - Supported methods: - LIST: /{mount_point}/role. - - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the list_roles request. - :rtype: requests.Response - """ - api_path = f"/v1/{mount_point}/role" - return self._adapter.list( - url=api_path, - ) - - def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing role by the given name. - - Supported methods: - DELETE: /{mount_point}/role/:name. - - :param name: the name of the role to delete. This is part of the request URL. - :type name: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_role request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/role/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def create_or_update_transformation( - self, - name, - transform_type, - template, - tweak_source="supplied", - masking_character="*", - allowed_roles=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create or update a transformation with the given name. - - If a transformation with the name does not exist, it will be created. If the - transformation exists, it will be updated with the new attributes. - - Supported methods: - POST: /{mount_point}/transformation/:name. - - :param name: the name of the transformation to create or update. This is part of - the request URL. - :type name: str | unicode - :param transform_type: Specifies the type of transformation to perform. - The types currently supported by this backend are fpe and masking. - This value cannot be modified by an update operation after creation. - :type transform_type: str | unicode - :param template: the template name to use for matching value on encode and decode - operations when using this transformation. - :type template: str | unicode - :param tweak_source: Only used when the type is FPE. - :type tweak_source: str | unicode - :param masking_character: the character to use for masking. If multiple characters are - provided, only the first one is used and the rest is ignored. Only used when - the type is masking. - :type masking_character: str | unicode - :param allowed_roles: a list of allowed roles that this transformation can be assigned to. - A role using this transformation must exist in this list in order for - encode and decode operations to properly function. - :type allowed_roles: list - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the create_or_update_ation request. - :rtype: requests.Response - """ - params = { - "type": transform_type, - "template": template, - "tweak_source": tweak_source, - "masking_character": masking_character, - } - params.update( - utils.remove_nones( - { - "allowed_roles": allowed_roles, - } - ) - ) - api_path = "/v1/{mount_point}/transformation/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def create_or_update_fpe_transformation( - self, - name, - template, - tweak_source="supplied", - allowed_roles=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Creates or update an FPE transformation with the given name. - - If a transformation with the name does not exist, it will be created. If the transformation exists, it will be - updated with the new attributes. - - Supported methods: - POST: /{mount_point}/transformations/fpe/:name. - - - :param name: The name of the transformation to create or update. This is part of - the request URL. - :type name: str - :param template: The template name to use for matching value on encode and decode - operations when using this transformation. - :type template: str - :param tweak_source: Specifies the source of where the tweak value comes from. Valid sources are: - supplied, generated, and internal. - :type tweak_source: str - :param allowed_roles: A list of allowed roles that this transformation can be assigned to. - A role using this transformation must exist in this list in order for - encode and decode operations to properly function. - :type allowed_roles: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the create_or_update_fpe_transformation request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "template": template, - "tweak_source": tweak_source, - "allowed_roles": allowed_roles, - } - ) - api_path = "/v1/{mount_point}/transformations/fpe/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def create_or_update_masking_transformation( - self, - name, - template, - masking_character="*", - allowed_roles=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Creates or update a masking transformation with the given name. If a - transformation with the name does not exist, it will be created. If the - transformation exists, it will be updated with the new attributes. - - Supported methods: - POST: /{mount_point}/transformations/masking/:name. - - - :param name: The name of the transformation to create or update. This is part of - the request URL. - :type name: str - :param template: The template name to use for matching value on encode and decode - operations when using this transformation. - :type template: str - :param masking_character: The character to use for masking. If multiple characters are - provided, only the first one is used and the rest is ignored. Only used when - the type is masking. - :type masking_character: str - :param allowed_roles: A list of allowed roles that this transformation can be assigned to. - A role using this transformation must exist in this list in order for - encode and decode operations to properly function. - :type allowed_roles: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the create_or_update_masking_transformation request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "template": template, - "masking_character": masking_character, - "allowed_roles": allowed_roles, - } - ) - api_path = "/v1/{mount_point}/transformations/masking/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def create_or_update_tokenization_transformation( - self, - name, - max_ttl=0, - mapping_mode="default", - allowed_roles=None, - stores=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """ - This endpoint creates or updates a tokenization transformation with the given name. If a - transformation with the name does not exist, it will be created. If the - transformation exists, it will be updated with the new attributes. - - Supported methods: - POST: /{mount_point}/transformations/tokenization/:name. - - :param max_ttl: The maximum TTL of a token. If 0 or unspecified, tokens may have no expiration. - :type max_ttl: str - :param mapping_mode: Specifies the mapping mode for stored tokenization values. - - * `default` is strongly recommended for highest security - * `exportable` exportable allows for all plaintexts to be decoded via the export-decoded endpoint in an emergency. - - :type mapping_mode: str - :param allowed_roles: aAlist of allowed roles that this transformation can be assigned to. - A role using this transformation must exist in this list in order for - encode and decode operations to properly function. - :type allowed_roles: list - :param stores: list of tokenization stores to use for tokenization state. Vault's - internal storage is used by default. - :type stores: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the create_or_update_tokenization_transformation request. - :rtype: requests.Response - """ - if stores is None: - stores = ["builtin/internal"] - params = utils.remove_nones( - { - "max_ttl": max_ttl, - "mapping_mode": mapping_mode, - "allowed_roles": allowed_roles, - "stores": stores, - } - ) - api_path = "/v1/{mount_point}/transformations/tokenization/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_transformation(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Query an existing transformation by the given name. - - Supported methods: - GET: /{mount_point}/transformation/:name. - - :param name: Specifies the name of the role to read. - :type name: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the read_ation request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/transformation/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_transformations(self, mount_point=DEFAULT_MOUNT_POINT): - """List all existing transformations in the secrets engine. - - Supported methods: - LIST: /{mount_point}/transformation. - - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the list_ation request. - :rtype: requests.Response - """ - api_path = f"/v1/{mount_point}/transformation" - return self._adapter.list( - url=api_path, - ) - - def delete_transformation(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing transformation by the given name. - - Supported methods: - DELETE: /{mount_point}/transformation/:name. - - :param name: the name of the transformation to delete. This is part of the - request URL. - :type name: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_ation request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/transformation/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def create_or_update_template( - self, name, template_type, pattern, alphabet, mount_point=DEFAULT_MOUNT_POINT - ): - """Creates or update a template with the given name. - - If a template with the name does not exist, it will be created. If the - template exists, it will be updated with the new attributes. - - Supported methods: - POST: /{mount_point}/template/:name. - - :param name: the name of the template to create. - :type name: str | unicode - :param template_type: Specifies the type of pattern matching to perform. - The only type currently supported by this backend is regex. - :type template_type: str | unicode - :param pattern: the pattern used to match a particular value. For regex type - matching, capture group determines the set of character that should be matched - against. Any matches outside of capture groups are retained - post-transformation. - :type pattern: str | unicode - :param alphabet: the name of the alphabet to use when this template is used for FPE - encoding and decoding operations. - :type alphabet: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the create_or_update_template request. - :rtype: requests.Response - """ - params = { - "type": template_type, - "pattern": pattern, - "alphabet": alphabet, - } - api_path = "/v1/{mount_point}/template/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_template(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Query an existing template by the given name. - - Supported methods: - GET: /{mount_point}/template/:name. - - :param name: Specifies the name of the role to read. - :type name: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the read_template request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/template/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_templates(self, mount_point=DEFAULT_MOUNT_POINT): - """List all existing templates in the secrets engine. - - Supported methods: - LIST: /{mount_point}/transformation. - - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the list_template request. - :rtype: requests.Response - """ - api_path = f"/v1/{mount_point}/template" - return self._adapter.list( - url=api_path, - ) - - def delete_template(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing template by the given name. - - Supported methods: - DELETE: /{mount_point}/template/:name. - - :param name: the name of the template to delete. This is part of the - request URL. - :type name: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_template request. - :rtype: requests.Response - """ - params = { - "name": name, - } - api_path = "/v1/{mount_point}/template/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - json=params, - ) - - def create_or_update_alphabet( - self, name, alphabet, mount_point=DEFAULT_MOUNT_POINT - ): - """Create or update an alphabet with the given name. - - If an alphabet with the name does not exist, it will be created. If the - alphabet exists, it will be updated with the new attributes. - - Supported methods: - POST: /{mount_point}/alphabet/:name. - - :param name: Specifies the name of the transformation alphabet to create. - :type name: str | unicode - :param alphabet: the set of characters that can exist within the provided value - and the encoded or decoded value for a FPE transformation. - :type alphabet: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the create_or_update_alphabet request. - :rtype: requests.Response - """ - params = { - "alphabet": alphabet, - } - api_path = "/v1/{mount_point}/alphabet/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_alphabet(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Queries an existing alphabet by the given name. - - Supported methods: - GET: /{mount_point}/alphabet/:name. - - - :param name: the name of the alphabet to delete. This is part of the request URL. - :type name: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the read_alphabet request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/alphabet/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_alphabets(self, mount_point=DEFAULT_MOUNT_POINT): - """List all existing alphabets in the secrets engine. - - Supported methods: - LIST: /{mount_point}/alphabet. - - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the list_alphabets request. - :rtype: requests.Response - """ - api_path = f"/v1/{mount_point}/alphabet" - return self._adapter.list( - url=api_path, - ) - - def delete_alphabet(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete an existing alphabet by the given name. - - Supported methods: - DELETE: /{mount_point}/alphabet/:name. - - :param name: the name of the alphabet to delete. This is part of the request URL. - :type name: str | unicode - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the delete_alphabet request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/alphabet/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def create_or_update_tokenization_store( - self, - name, - driver, - connection_string, - username=None, - password=None, - type="sql", - supported_transformations=None, - schema="public", - max_open_connections=4, - max_idle_connections=4, - max_connection_lifetime=0, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Create or update a storage configuration for use with tokenization. - The database user configured here should only have permission to SELECT, INSERT, and UPDATE rows in the tables. - - Supported methods: - POST: /{mount_point}/store/:name. - - :param name: The name of the store to create or update. - :type name: str - :param type: Specifies the type of store. Currently only `sql` is supported. - :type type: str - :param driver: Specifies the database driver to use, and thus which SQL database type. - Currently the supported options are `postgres` or `mysql` - :type driver: str - :param supported_transformations: The types of transformations this store can host. Currently only `tokenization` is supported. - :type supported_transformations: list(str) - :param connection_string: database connection string with template slots for username and password that - Vault will use for locating and connecting to a database. Each - database driver type has a different syntax for its connection strings. - :type connection_string: str - :param username: username value to use when connecting to the database. - :type username: str - :param password: password value to use when connecting to the database. - :type password: str - :param schema: schema within the database to expect tokenization state tables. - :type schema: str - :param max_open_connections: maximum number of connections to the database at any given time. - :type max_open_connections: int - :param max_idle_connections: maximum number of idle connections to the database at any given time. - :type max_idle_connections: int - :param max_connection_lifetime: means no limit. - :type max_connection_lifetime: duration - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the create_or_update_tokenization_store request. - :rtype: requests.Response - """ - if supported_transformations is None: - supported_transformations = ["tokenization"] - params = utils.remove_nones( - { - "type": type, - "driver": driver, - "supported_transformations:": supported_transformations, - "connection_string": connection_string, - "username": username, - "password": password, - "schema": schema, - "max_open_connections": max_open_connections, - "max_idle_connections": max_idle_connections, - "max_connection_lifetime": max_connection_lifetime, - } - ) - api_path = "/v1/{mount_point}/store/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def encode( - self, - role_name, - value=None, - transformation=None, - tweak=None, - batch_input=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Encode the provided value using a named role. - - Supported methods: - POST: /{mount_point}/encode/:role_name. - - :param role_name: the role name to use for this operation. This is specified as part - of the URL. - :type role_name: str | unicode - :param value: the value to be encoded. - :type value: str | unicode - :param transformation: the transformation within the role that should be used for this - encode operation. If a single transformation exists for role, this parameter - may be skipped and will be inferred. If multiple transformations exist, one - must be specified. - :type transformation: str | unicode - :param tweak: the tweak source. - :type tweak: str | unicode - :param batch_input: a list of items to be encoded in a single batch. When this - parameter is set, the 'value', 'transformation' and 'tweak' parameters are - ignored. Instead, the aforementioned parameters should be provided within - each object in the list. - :type batch_input: list - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the encode request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "value": value, - "transformation": transformation, - "tweak": tweak, - "batch_input": batch_input, - } - ) - api_path = "/v1/{mount_point}/encode/{role_name}".format( - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def decode( - self, - role_name, - value=None, - transformation=None, - tweak=None, - batch_input=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Decode the provided value using a named role. - - Supported methods: - POST: /{mount_point}/decode/:role_name. - - :param role_name: the role name to use for this operation. This is specified as part - of the URL. - :type role_name: str | unicode - :param value: the value to be decoded. - :type value: str | unicode - :param transformation: the transformation within the role that should be used for this - decode operation. If a single transformation exists for role, this parameter - may be skipped and will be inferred. If multiple transformations exist, one - must be specified. - :type transformation: str | unicode - :param tweak: the tweak source. - :type tweak: str | unicode - :param batch_input: a list of items to be decoded in a single batch. When this - parameter is set, the 'value', 'transformation' and 'tweak' parameters are - ignored. Instead, the aforementioned parameters should be provided within - each object in the list. - :type batch_input: array - :param mount_point: The "path" the secrets engine was mounted on. - :type mount_point: str | unicode - :return: The response of the decode request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "value": value, - "transformation": transformation, - "tweak": tweak, - "batch_input": batch_input, - } - ) - api_path = "/v1/{mount_point}/decode/{role_name}".format( - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def validate_token( - self, - role_name, - value, - transformation, - batch_input=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Determine if a provided tokenized value is valid and unexpired. - Only valid for tokenization transformations. - - Supported methods: - POST: /{mount_point}/validate/:role_name. - - - :param role_name: the role name to use for this operation. This is specified as part - of the URL. - :type role_name: str - :param value: the token for which to check validity. - :type value: str - :param transformation: the transformation within the role that should be used for this - decode operation. If a single transformation exists for role, this parameter - may be skipped and will be inferred. If multiple transformations exist, one - must be specified. - :type transformation: str - :param batch_input: a list of items to be decoded in a single batch. When this - parameter is set, the 'value' parameter is - ignored. Instead, the aforementioned parameters should be provided within - each object in the list. - :type batch_input: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the validate_token request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "value": value, - "transformation": transformation, - "batch_input": batch_input, - } - ) - api_path = "/v1/{mount_point}/validate/{role_name}".format( - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def check_tokenization( - self, - role_name, - value, - transformation, - batch_input=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Determine if a provided plaintext value has an valid, unexpired tokenized value. - Note that this cannot return the token, just confirm that a - tokenized value exists. This endpoint is only valid for tokenization - transformations. - - Supported methods: - POST: /{mount_point}/tokenized/:role_name. - - - :param role_name: the role name to use for this operation. This is specified as part - of the URL. - :type role_name: str - :param value: the token to test for whether it has a valid tokenization. - :type value: str - :param transformation: the transformation within the role that should be used for this - decode operation. If a single transformation exists for role, this parameter - may be skipped and will be inferred. If multiple transformations exist, one - must be specified. - :type transformation: str - :param batch_input: a list of items to be decoded in a single batch. When this - parameter is set, the 'value' parameter is - ignored. Instead, the aforementioned parameters should be provided within - each object in the list. - :type batch_input: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the check_tokenization request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "value": value, - "transformation": transformation, - "batch_input": batch_input, - } - ) - api_path = "/v1/{mount_point}/tokenized/{role_name}".format( - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def retrieve_token_metadata( - self, - role_name, - value, - transformation, - batch_input=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """ - This endpoint retrieves metadata for a tokenized value using a named role. - Only valid for tokenization transformations. - - Supported methods: - POST: /{mount_point}/metadata/:role_name. - - - :param role_name: the role name to use for this operation. This is specified as part - of the URL. - :type role_name: str - :param value: the token for which to retrieve metadata. - :type value: str - :param transformation: the transformation within the role that should be used for this - decode operation. If a single transformation exists for role, this parameter - may be skipped and will be inferred. If multiple transformations exist, one - must be specified. - :type transformation: str - :param batch_input: a list of items to be decoded in a single batch. When this - parameter is set, the 'value' parameter is - ignored. Instead, the aforementioned parameters should be provided within - each object in the list. - :type batch_input: list - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the retrieve_token_metadata request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "value": value, - "transformation": transformation, - "batch_input": batch_input, - } - ) - api_path = "/v1/{mount_point}/metadata/{role_name}".format( - mount_point=mount_point, - role_name=role_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def snapshot_tokenization_state( - self, name, limit=1000, continuation="", mount_point=DEFAULT_MOUNT_POINT - ): - """ - This endpoint starts or continues retrieving a snapshot of the stored - state of a tokenization transform. This state is protected as it is - in the underlying store, and so is safe for storage or transport. Snapshots - may be used for backup purposes or to migrate from one store to another. - If more than one store is configured for a tokenization transform, the - snapshot data contains the contents of the first store. - - Supported methods: - POST: /{mount_point}/transformations/tokenization/snapshot/:name. - - - :param name: the name of the transformation to snapshot. - :type name: str - :param limit: maximum number of tokenized value states to return on this call. - :type limit: int - :param continuation: absent or empty, a new snapshot is started. If present, the - snapshot should continue at the next available value. - :type continuation: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the snapshot_tokenization_state request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "limit": limit, - "continuation": continuation, - } - ) - api_path = ( - "/v1/{mount_point}/transformations/tokenization/snapshot/{name}".format( - mount_point=mount_point, - name=name, - ) - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def restore_tokenization_state(self, name, values, mount_point=DEFAULT_MOUNT_POINT): - """ - This endpoint restores previously snapshotted tokenization state values - to the underlying store(s) of a tokenization transform. Calls to this - endpoint are idempotent, so multiple outputs from a snapshot run can - be applied via restore in any order and duplicates will not cause a problem. - - Supported methods: - POST: /{mount_point}/transformations/tokenization/restore/:name. - - - :param name: the name of the transformation to restore. - :type name: str - :param values: number of tokenization state values from a previous snapshot call. - :type values: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the restore_tokenization_state request. - :rtype: requests.Response - """ - params = { - "values": values, - } - api_path = ( - "/v1/{mount_point}/transformations/tokenization/restore/{name}".format( - mount_point=mount_point, - name=name, - ) - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def export_decoded_tokenization_state( - self, name, limit=1000, continuation="", mount_point=DEFAULT_MOUNT_POINT - ): - """Start or continue retrieving an export of tokenization state, including the tokens and their decoded values. - This call is only supported on tokenization stores configured with the exportable mapping mode. - Refer to the Tokenization documentation for when to use the exportable mapping mode. - Decoded values are in Base64 representation. - - Supported methods: - POST: /{mount_point}/transformations/tokenization/export-decoded/:name. - - - :param name: the name of the transformation to export. - :type name: str - :param limit: maximum number of tokenized value states to return on this call. - :type limit: int - :param continuation: absent or empty, a new export is started. If present, the - export should continue at the next available value. - :type continuation: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the export_decoded_tokenization_state request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "limit": limit, - "continuation": continuation, - } - ) - api_path = "/v1/{mount_point}/transformations/tokenization/export-decoded/{name}".format( - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def rotate_tokenization_key(self, transform_name, mount_point=DEFAULT_MOUNT_POINT): - """Rotate the version of the named key. - After rotation, new requests will be encoded with the new version of the key. - - Supported methods: - POST: /{mount_point}/tokenization/keys/{transform_name}/rotate. - - - :param transform_name: the transform name to use for this operation. This is specified as part - of the URL. - :type transform_name: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the rotate_tokenization_key request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/tokenization/keys/{transform_name}/rotate".format( - mount_point=mount_point, - transform_name=transform_name, - ) - return self._adapter.post( - url=api_path, - ) - - def update_tokenization_key_config( - self, transform_name, min_decryption_version, mount_point=DEFAULT_MOUNT_POINT - ): - """Allow the minimum key version to be set for decode operations. - Only valid for tokenization transformations. - - Supported methods: - POST: /{mount_point}/tokenization/keys/{transform_name}/config. - - - :param transform_name: the transform name to use for this operation. This is specified as part - of the URL. - :type transform_name: str - :param min_decryption_version: the minimum key version that vault can use to decode values for the - corresponding transform. - :type min_decryption_version: int - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the update_tokenization_key_config request. - :rtype: requests.Response - """ - params = { - "transform_name": transform_name, - "min_decryption_version": min_decryption_version, - } - api_path = "/v1/{mount_point}/tokenization/keys/{transform_name}/config".format( - mount_point=mount_point, - transform_name=transform_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def list_tokenization_key_configuration(self, mount_point=DEFAULT_MOUNT_POINT): - """List all tokenization keys. - Only valid for tokenization transformations. - - Supported methods: - LIST: /{mount_point}/tokenization/keys/. - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the list_tokenization_key_configuration request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/tokenization/keys/".format( - mount_point=mount_point, - ) - return self._adapter.list( - url=api_path, - ) - - def read_tokenization_key_configuration( - self, transform_name, mount_point=DEFAULT_MOUNT_POINT - ): - """Read tokenization key configuration for a particular transform. - Only valid for tokenization transformations. - - Supported methods: - GET: /{mount_point}/tokenization/keys/:{mount_point}_name. - - - :param transform_name: the transform name to use for this operation. This is specified as part - of the URL. - :type transform_name: str - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the read_tokenization_key_configuration request. - :rtype: requests.Response - """ - api_path = "/v1/{mount_point}/tokenization/keys/{transform_name}".format( - mount_point=mount_point, - transform_name=transform_name, - ) - return self._adapter.get( - url=api_path, - ) - - def trim_tokenization_key_version( - self, transform_name, min_available_version, mount_point=DEFAULT_MOUNT_POINT - ): - """Trim older key versions setting a minimum version for the keyring. - Once trimmed, previous versions of the key cannot be recovered. - - Supported methods: - POST: /{mount_point}/tokenization/keys/{transform_name}/trim. - - - :param transform_name: the transform name to use for this operation. This is specified as part - of the URL. - :type transform_name: str - :param min_available_version: - :type min_available_version: int - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str - :return: The response of the trim_tokenization_key_version request. - :rtype: requests.Response - """ - params = { - "min_available_version": min_available_version, - } - api_path = "/v1/{mount_point}/tokenization/keys/{transform_name}/trim".format( - mount_point=mount_point, - transform_name=transform_name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/transit.py b/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/transit.py deleted file mode 100644 index 77185bc..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/secrets_engines/transit.py +++ /dev/null @@ -1,1163 +0,0 @@ -#!/usr/bin/env python -"""Transit methods module.""" -from hvac import exceptions, utils -from hvac.api.vault_api_base import VaultApiBase -from hvac.constants import transit as transit_constants - -DEFAULT_MOUNT_POINT = "transit" - - -class Transit(VaultApiBase): - """Transit Secrets Engine (API). - - Reference: https://www.vaultproject.io/api/secret/transit/index.html - """ - - def create_key( - self, - name, - convergent_encryption=None, - derived=None, - exportable=None, - allow_plaintext_backup=None, - key_type=None, - mount_point=DEFAULT_MOUNT_POINT, - auto_rotate_period=None, - ): - """Create a new named encryption key of the specified type. - - The values set here cannot be changed after key creation. - - Supported methods: - POST: /{mount_point}/keys/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the encryption key to create. This is specified as part of the URL. - :type name: str | unicode - :param convergent_encryption: If enabled, the key will support convergent encryption, where the same plaintext - creates the same ciphertext. This requires derived to be set to true. When enabled, each - encryption(/decryption/rewrap/datakey) operation will derive a nonce value rather than randomly generate it. - :type convergent_encryption: bool - :param derived: Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this - named key must provide a context which is used for key derivation. - :type derived: bool - :param exportable: Enables keys to be exportable. This allows for all the valid keys in the key ring to be - exported. Once set, this cannot be disabled. - :type exportable: bool - :param allow_plaintext_backup: If set, enables taking backup of named key in the plaintext format. Once set, - this cannot be disabled. - :type allow_plaintext_backup: bool - :param key_type: Specifies the type of key to create. The currently-supported types are: - - * **aes256-gcm96**: AES-256 wrapped with GCM using a 96-bit nonce size AEAD - * **chacha20-poly1305**: ChaCha20-Poly1305 AEAD (symmetric, supports derivation and convergent encryption) - * **ed25519**: ED25519 (asymmetric, supports derivation). - * **ecdsa-p256**: ECDSA using the P-256 elliptic curve (asymmetric) - * **ecdsa-p384**: ECDSA using the P-384 elliptic curve (asymmetric) - * **ecdsa-p521**: ECDSA using the P-521 elliptic curve (asymmetric) - * **rsa-2048**: RSA with bit size of 2048 (asymmetric) - * **rsa-3072**: RSA with bit size of 3072 (asymmetric) - * **rsa-4096**: RSA with bit size of 4096 (asymmetric) - :type key_type: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param auto_rotate_period: The period at which this key should be rotated automatically. Requires Vault 1.10.x or higher. - :type auto_rotate_period: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if convergent_encryption and not derived: - raise exceptions.ParamValidationError( - "derived must be set to True when convergent_encryption is True" - ) - if key_type is not None and key_type not in transit_constants.ALLOWED_KEY_TYPES: - error_msg = 'invalid key_type argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=key_type, - allowed_types=", ".join(transit_constants.ALLOWED_KEY_TYPES), - ) - ) - params = utils.remove_nones( - { - "convergent_encryption": convergent_encryption, - "derived": derived, - "exportable": exportable, - "allow_plaintext_backup": allow_plaintext_backup, - "type": key_type, - "auto_rotate_period": auto_rotate_period, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/keys/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_key(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Read information about a named encryption key. - - The keys object shows the creation time of each key version; the values are not the keys themselves. Depending - on the type of key, different information may be returned, e.g. an asymmetric key will return its public key in - a standard format for the type. - - Supported methods: - GET: /{mount_point}/keys/{name}. Produces: 200 application/json - - :param name: Specifies the name of the encryption key to read. This is specified as part of the URL. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the read_key request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/keys/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def list_keys(self, mount_point=DEFAULT_MOUNT_POINT): - """List keys (if there are any). - - Only the key names are returned (not the actual keys themselves). - - An exception is thrown if there are no keys. - - Supported methods: - LIST: /{mount_point}/keys. Produces: 200 application/json - - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/{mount_point}/keys", mount_point=mount_point) - return self._adapter.list(url=api_path) - - def delete_key(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Delete a named encryption key. - - It will no longer be possible to decrypt any data encrypted with the named key. Because this is a potentially - catastrophic operation, the deletion_allowed tunable must be set in the key's /config endpoint. - - Supported methods: - DELETE: /{mount_point}/keys/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the encryption key to delete. This is specified as part of the URL. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/keys/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.delete( - url=api_path, - ) - - def update_key_configuration( - self, - name, - min_decryption_version=None, - min_encryption_version=None, - deletion_allowed=None, - exportable=None, - allow_plaintext_backup=None, - mount_point=DEFAULT_MOUNT_POINT, - auto_rotate_period=None, - ): - """Tune configuration values for a given key. - - These values are returned during a read operation on the named key. - - Supported methods: - POST: /{mount_point}/keys/{name}/config. Produces: 204 (empty body) - - :param name: Specifies the name of the encryption key to update configuration for. - :type name: str | unicode - :param min_decryption_version: Specifies the minimum version of ciphertext allowed to be decrypted. Adjusting - this as part of a key rotation policy can prevent old copies of ciphertext from being decrypted, should they - fall into the wrong hands. For signatures, this value controls the minimum version of signature that can be - verified against. For HMACs, this controls the minimum version of a key allowed to be used as the key for - verification. - :type min_decryption_version: int - :param min_encryption_version: Specifies the minimum version of the key that can be used to encrypt plaintext, - sign payloads, or generate HMACs. Must be 0 (which will use the latest version) or a value greater or equal - to min_decryption_version. - :type min_encryption_version: int - :param deletion_allowed: Specifies if the key is allowed to be deleted. - :type deletion_allowed: bool - :param exportable: Enables keys to be exportable. This allows for all the valid keys in the key ring to be - exported. Once set, this cannot be disabled. - :type exportable: bool - :param allow_plaintext_backup: If set, enables taking backup of named key in the plaintext format. Once set, - this cannot be disabled. - :type allow_plaintext_backup: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param auto_rotate_period: The period at which this key should be rotated automatically. Requires Vault 1.10.x or higher. - :type auto_rotate_period: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - if min_encryption_version is not None and min_decryption_version is not None: - if ( - min_encryption_version != 0 - and min_encryption_version <= min_decryption_version - ): - raise exceptions.ParamValidationError( - "min_encryption_version must be 0 or > min_decryption_version" - ) - params = utils.remove_nones( - { - "min_decryption_version": min_decryption_version, - "min_encryption_version": min_encryption_version, - "deletion_allowed": deletion_allowed, - "exportable": exportable, - "allow_plaintext_backup": allow_plaintext_backup, - "auto_rotate_period": auto_rotate_period, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/keys/{name}/config", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def rotate_key(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Rotate the version of the named key. - - After rotation, new plaintext requests will be encrypted with the new version of the key. To upgrade ciphertext - to be encrypted with the latest version of the key, use the rewrap endpoint. This is only supported with keys - that support encryption and decryption operations. - - Supported methods: - POST: /{mount_point}/keys/{name}/rotate. Produces: 204 (empty body) - - :param name: Specifies the name of the key to read information about. This is specified as part of the URL. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url( - "/v1/{mount_point}/keys/{name}/rotate", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - ) - - def export_key(self, name, key_type, version=None, mount_point=DEFAULT_MOUNT_POINT): - """Return the named key. - - The keys object shows the value of the key for each version. If version is specified, the specific version will - be returned. If latest is provided as the version, the current key will be provided. Depending on the type of - key, different information may be returned. The key must be exportable to support this operation and the version - must still be valid. - - Supported methods: - GET: /{mount_point}/export/{key_type}/{name}(/{version}). Produces: 200 application/json - - :param name: Specifies the name of the key to read information about. This is specified as part of the URL. - :type name: str | unicode - :param key_type: Specifies the type of the key to export. This is specified as part of the URL. Valid values are: - encryption-key - signing-key - hmac-key - :type key_type: str | unicode - :param version: Specifies the version of the key to read. If omitted, all versions of the key will be returned. - If the version is set to latest, the current key will be returned. - :type version: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - if key_type not in transit_constants.ALLOWED_EXPORT_KEY_TYPES: - error_msg = 'invalid key_type argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=key_type, - allowed_types=", ".join(transit_constants.ALLOWED_EXPORT_KEY_TYPES), - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/export/{key_type}/{name}", - mount_point=mount_point, - key_type=key_type, - name=name, - ) - if version is not None: - api_path = self._adapter.urljoin(api_path, version) - return self._adapter.get( - url=api_path, - ) - - def encrypt_data( - self, - name, - plaintext=None, - context=None, - key_version=None, - nonce=None, - batch_input=None, - type=None, - convergent_encryption=None, - mount_point=DEFAULT_MOUNT_POINT, - associated_data=None, - ): - """Encrypt the provided plaintext using the named key. - - This path supports the create and update policy capabilities as follows: if the user has the create capability - for this endpoint in their policies, and the key does not exist, it will be upserted with default values - (whether the key requires derivation depends on whether the context parameter is empty or not). If the user only - has update capability and the key does not exist, an error will be returned. - - Supported methods: - POST: /{mount_point}/encrypt/{name}. Produces: 200 application/json - - :param name: Specifies the name of the encryption key to encrypt against. This is specified as part of the URL. - :type name: str | unicode - :param plaintext: Specifies base64 encoded plaintext to be encoded. Ignored if ``batch_input`` is set, otherwise required. - :type plaintext: str | unicode - :param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is - enabled for this key. - :type context: str | unicode - :param associated_data: Specifies base64 encoded associated data (also known as additional data or AAD) to also be authenticated - with AEAD ciphers (aes128-gcm96, aes256-gcm, and chacha20-poly1305) - :type associated_data: str | unicode - :param key_version: Specifies the version of the key to use for encryption. If not set, uses the latest version. - Must be greater than or equal to the key's min_encryption_version, if set. - :type key_version: int - :param nonce: Specifies the base64 encoded nonce value. This must be provided if convergent encryption is - enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. - The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and - thus, any given encryption key) this nonce value is never reused. - :type nonce: str | unicode - :param batch_input: Specifies a list of items to be encrypted in a single batch. When this parameter is set, if - the parameters 'plaintext', 'context' and 'nonce' are also set, they will be ignored. The format for the - input is: [dict(context="b64_context", plaintext="b64_plaintext"), ...] - :type batch_input: List[dict] - :param type: This parameter is required when encryption key is expected to be created. When performing an - upsert operation, the type of key to create. - :type type: str | unicode - :param convergent_encryption: This parameter will only be used when a key is expected to be created. Whether to - support convergent encryption. This is only supported when using a key with key derivation enabled and will - require all requests to carry both a context and 96-bit (12-byte) nonce. The given nonce will be used in - place of a randomly generated nonce. As a result, when the same context and nonce are supplied, the same - ciphertext is generated. It is very important when using this mode that you ensure that all nonces are - unique for a given context. Failing to do so will severely impact the ciphertext's security. - :type convergent_encryption: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - if plaintext is None and batch_input is None: - raise ValueError("plaintext must be specified unless batch_input is set") - params = { - "plaintext": plaintext, - } - params.update( - utils.remove_nones( - { - "context": context, - "associated_data": associated_data, - "key_version": key_version, - "nonce": nonce, - "batch_input": batch_input, - "type": type, - "convergent_encryption": convergent_encryption, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/encrypt/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def decrypt_data( - self, - name, - ciphertext=None, - context=None, - nonce=None, - batch_input=None, - mount_point=DEFAULT_MOUNT_POINT, - associated_data=None, - ): - """Decrypt the provided ciphertext using the named key. - - Supported methods: - POST: /{mount_point}/decrypt/{name}. Produces: 200 application/json - - :param name: Specifies the name of the encryption key to decrypt against. This is specified as part of the URL. - :type name: str | unicode - :param ciphertext: The ciphertext to decrypt. Ignored if ``batch_input`` is set, otherwise required. - :type ciphertext: str | unicode - :param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is - enabled. - :type context: str | unicode - :param associated_data: Specifies base64 encoded associated data (also known as additional data or AAD) to also - be authenticated with AEAD ciphers (aes128-gcm96, aes256-gcm, and chacha20-poly1305) - :type associated_data: str | unicode - :param nonce: Specifies a base64 encoded nonce value used during encryption. Must be provided if convergent - encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created - in 0.6.2+. - :type nonce: str | unicode - :param batch_input: Specifies a list of items to be decrypted in a single batch. When this parameter is set, if - the parameters 'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Format for the input - goes like this: [dict(context="b64_context", ciphertext="b64_plaintext"), ...] - :type batch_input: List[dict] - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - if ciphertext is None and batch_input is None: - raise ValueError("ciphertext must be specified unless batch_input is set") - params = { - "ciphertext": ciphertext, - } - params.update( - utils.remove_nones( - { - "context": context, - "associated_data": associated_data, - "nonce": nonce, - "batch_input": batch_input, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/decrypt/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def rewrap_data( - self, - name, - ciphertext, - context=None, - key_version=None, - nonce=None, - batch_input=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Rewrap the provided ciphertext using the latest version of the named key. - - Because this never returns plaintext, it is possible to delegate this functionality to untrusted users or scripts. - - Supported methods: - POST: /{mount_point}/rewrap/{name}. Produces: 200 application/json - - :param name: Specifies the name of the encryption key to re-encrypt against. This is specified as part of the URL. - :type name: str | unicode - :param ciphertext: Specifies the ciphertext to re-encrypt. - :type ciphertext: str | unicode - :param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is - enabled. - :type context: str | unicode - :param key_version: Specifies the version of the key to use for the operation. If not set, uses the latest - version. Must be greater than or equal to the key's min_encryption_version, if set. - :type key_version: int - :param nonce: Specifies a base64 encoded nonce value used during encryption. Must be provided if convergent - encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created - in 0.6.2+. - :type nonce: str | unicode - :param batch_input: Specifies a list of items to be decrypted in a single batch. When this parameter is set, if - the parameters 'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Format for the input - goes like this: [dict(context="b64_context", ciphertext="b64_plaintext"), ...] - :type batch_input: List[dict] - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "ciphertext": ciphertext, - } - params.update( - utils.remove_nones( - { - "context": context, - "key_version": key_version, - "nonce": nonce, - "batch_input": batch_input, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/rewrap/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def generate_data_key( - self, - name, - key_type, - context=None, - nonce=None, - bits=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Generates a new high-entropy key and the value encrypted with the named key. - - Optionally return the plaintext of the key as well. Whether plaintext is returned depends on the path; as a - result, you can use Vault ACL policies to control whether a user is allowed to retrieve the plaintext value of a - key. This is useful if you want an untrusted user or operation to generate keys that are then made available to - trusted users. - - Supported methods: - POST: /{mount_point}/datakey/{key_type}/{name}. Produces: 200 application/json - - :param name: Specifies the name of the encryption key to use to encrypt the datakey. This is specified as part - of the URL. - :type name: str | unicode - :param key_type: Specifies the type of key to generate. If plaintext, the plaintext key will be returned along - with the ciphertext. If wrapped, only the ciphertext value will be returned. This is specified as part of - the URL. - :type key_type: str | unicode - :param context: Specifies the key derivation context, provided as a base64-encoded string. This must be provided - if derivation is enabled. - :type context: str | unicode - :param nonce: Specifies a nonce value, provided as base64 encoded. Must be provided if convergent encryption is - enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created in 0.6.2+. - The value must be exactly 96 bits (12 bytes) long and the user must ensure that for any given context (and - thus, any given encryption key) this nonce value is never reused. - :type nonce: str | unicode - :param bits: Specifies the number of bits in the desired key. Can be 128, 256, or 512. - :type bits: int - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - if key_type not in transit_constants.ALLOWED_DATA_KEY_TYPES: - error_msg = 'invalid key_type argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=key_type, - allowed_types=", ".join(transit_constants.ALLOWED_DATA_KEY_TYPES), - ) - ) - if bits is not None and bits not in transit_constants.ALLOWED_DATA_KEY_BITS: - error_msg = 'invalid bits argument provided "{arg}", supported values: "{allowed_values}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=bits, - allowed_values=", ".join( - [str(b) for b in transit_constants.ALLOWED_DATA_KEY_BITS] - ), - ) - ) - params = utils.remove_nones( - { - "context": context, - "nonce": nonce, - "bits": bits, - } - ) - api_path = utils.format_url( - "/v1/{mount_point}/datakey/{key_type}/{name}", - mount_point=mount_point, - key_type=key_type, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def generate_random_bytes( - self, n_bytes=None, output_format=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Return high-quality random bytes of the specified length. - - Supported methods: - POST: /{mount_point}/random(/{bytes}). Produces: 200 application/json - - :param n_bytes: Specifies the number of bytes to return. This value can be specified either in the request body, - or as a part of the URL. - :type n_bytes: int - :param output_format: Specifies the output encoding. Valid options are hex or base64. - :type output_format: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = utils.remove_nones( - { - "bytes": n_bytes, - "format": output_format, - } - ) - api_path = utils.format_url("/v1/{mount_point}/random", mount_point=mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def hash_data( - self, - hash_input, - algorithm=None, - output_format=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Return the cryptographic hash of given data using the specified algorithm. - - Supported methods: - POST: /{mount_point}/hash(/{algorithm}). Produces: 200 application/json - - :param hash_input: Specifies the base64 encoded input data. - :type hash_input: str | unicode - :param algorithm: Specifies the hash algorithm to use. This can also be specified as part of the URL. - Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512 - :type algorithm: str | unicode - :param output_format: Specifies the output encoding. This can be either hex or base64. - :type output_format: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - if ( - algorithm is not None - and algorithm not in transit_constants.ALLOWED_HASH_DATA_ALGORITHMS - ): - error_msg = 'invalid algorithm argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=algorithm, - allowed_types=", ".join( - transit_constants.ALLOWED_HASH_DATA_ALGORITHMS - ), - ) - ) - if ( - output_format is not None - and output_format not in transit_constants.ALLOWED_HASH_DATA_FORMATS - ): - error_msg = 'invalid output_format argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=output_format, - allowed_types=", ".join( - transit_constants.ALLOWED_HASH_DATA_FORMATS - ), - ) - ) - params = { - "input": hash_input, - } - params.update( - utils.remove_nones( - { - "algorithm": algorithm, - "format": output_format, - } - ) - ) - api_path = utils.format_url("/v1/{mount_point}/hash", mount_point=mount_point) - return self._adapter.post( - url=api_path, - json=params, - ) - - def generate_hmac( - self, - name, - hash_input, - key_version=None, - algorithm=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Return the digest of given data using the specified hash algorithm and the named key. - - The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the - HMAC function. If the key is of a type that supports rotation, the latest (current) version will be used. - - Supported methods: - POST: /{mount_point}/hmac/{name}(/{algorithm}). Produces: 200 application/json - - :param name: Specifies the name of the encryption key to generate hmac against. This is specified as part of the - URL. - :type name: str | unicode - :param hash_input: Specifies the base64 encoded input data. - :type input: str | unicode - :param key_version: Specifies the version of the key to use for the operation. If not set, uses the latest - version. Must be greater than or equal to the key's min_encryption_version, if set. - :type key_version: int - :param algorithm: Specifies the hash algorithm to use. This can also be specified as part of the URL. - Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512 - :type algorithm: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - if ( - algorithm is not None - and algorithm not in transit_constants.ALLOWED_HASH_DATA_ALGORITHMS - ): - error_msg = 'invalid algorithm argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=algorithm, - allowed_types=", ".join( - transit_constants.ALLOWED_HASH_DATA_ALGORITHMS - ), - ) - ) - params = { - "input": hash_input, - } - params.update( - utils.remove_nones( - { - "key_version": key_version, - "algorithm": algorithm, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/hmac/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def sign_data( - self, - name, - hash_input=None, - key_version=None, - hash_algorithm=None, - context=None, - prehashed=None, - signature_algorithm=None, - marshaling_algorithm=None, - salt_length=None, - mount_point=DEFAULT_MOUNT_POINT, - batch_input=None, - ): - """Return the cryptographic signature of the given data using the named key and the specified hash algorithm. - - The key must be of a type that supports signing. - - Supported methods: - POST: /{mount_point}/sign/{name}(/{hash_algorithm}). Produces: 200 application/json - - :param name: Specifies the name of the encryption key to use for signing. This is specified as part of the URL. - :type name: str | unicode - :param hash_input: Specifies the base64 encoded input data. - This parameter is mutually exclusive with the ``batch_results`` parameter, but one of them must be supplied. - If both are set, or neither are set, an exception will be raised. - :type hash_input: str | unicode - :param key_version: Specifies the version of the key to use for signing. If not set, uses the latest version. - Must be greater than or equal to the key's min_encryption_version, if set. - :type key_version: int - :param hash_algorithm: Specifies the hash algorithm to use for supporting key types (notably, not including - ed25519 which specifies its own hash algorithm). This can also be specified as part of the URL. - Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512 - :type hash_algorithm: str | unicode - :param context: Base64 encoded context for key derivation. Required if key derivation is enabled; currently only - available with ed25519 keys. - :type context: str | unicode - :param prehashed: Set to true when the input is already hashed. If the key type is rsa-2048 or rsa-4096, then - the algorithm used to hash the input should be indicated by the hash_algorithm parameter. Just as the value - to sign should be the base64-encoded representation of the exact binary data you want signed, when set, input - is expected to be base64-encoded binary hashed data, not hex-formatted. (As an example, on the command line, - you could generate a suitable input via openssl dgst -sha256 -binary | base64.) - :type prehashed: bool - :param signature_algorithm: When using a RSA key, specifies the RSA signature algorithm to use for signing. - Supported signature types are: pss, pkcs1v15 - :type signature_algorithm: str | unicode - :param marshaling_algorithm: Specifies the way in which the signature should be marshaled. This currently only applies to ECDSA keys. - Supported types are: asn1, jws - :type marshaling_algorithm: str | unicode - :param salt_length: The salt length used to sign. Currently only applies to the RSA PSS signature scheme. - Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), - 'hash' (causes the salt length to equal the length of the hash used in the signature), - or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. - Defaults to 'auto'. - :type salt_length: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :param batch_input: Specifies a list of items for processing. - Any batch output will preserve the order of the batch input. - If the input data value of an item is invalid, the corresponding item in the ``batch_results`` - will have the key ``error`` with a value describing the error. - This parameter is mutually exclusive with the ``hash_input`` parameter, but one of them must be supplied. - If both are set, or neither are set, an exception will be raised. - Responses are returned in the ``batch_results`` array component of the ``data`` element of the response. - :type batch_input: List[Dict[str, str]] - :return: The JSON response of the request. - :rtype: dict - """ - if ( - hash_algorithm is not None - and hash_algorithm not in transit_constants.ALLOWED_HASH_DATA_ALGORITHMS - ): - error_msg = 'invalid hash_algorithm argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=hash_algorithm, - allowed_types=", ".join( - transit_constants.ALLOWED_HASH_DATA_ALGORITHMS - ), - ) - ) - if ( - signature_algorithm is not None - and signature_algorithm - not in transit_constants.ALLOWED_SIGNATURE_ALGORITHMS - ): - error_msg = 'invalid signature_algorithm argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=signature_algorithm, - allowed_types=", ".join( - transit_constants.ALLOWED_SIGNATURE_ALGORITHMS - ), - ) - ) - if ( - marshaling_algorithm is not None - and marshaling_algorithm - not in transit_constants.ALLOWED_MARSHALING_ALGORITHMS - ): - error_msg = 'invalid marshaling_algorithm argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=marshaling_algorithm, - allowed_types=", ".join( - transit_constants.ALLOWED_MARSHALING_ALGORITHMS - ), - ) - ) - if ( - salt_length is not None - and not transit_constants.ALLOWED_SALT_LENGTHS.fullmatch(salt_length) - ): - error_msg = 'invalid salt_length argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=salt_length, - allowed_types=transit_constants.ALLOWED_SALT_LENGTHS.pattern, - ) - ) - - if hash_input is None and batch_input is None: - error_msg = "Invalid parameter combination: Please provide only one of the following parameters: 'hash_input' or 'batch_input'." - raise exceptions.ParamValidationError(message=error_msg) - - if hash_input is not None and batch_input is not None: - error_msg = "Invalid parameter combination: 'hash_input' or 'batch_input' should be provided, not both." - raise exceptions.ParamValidationError(message=error_msg) - - params = { - "input": hash_input, - } - params.update( - utils.remove_nones( - { - "key_version": key_version, - "hash_algorithm": hash_algorithm, - "context": context, - "prehashed": prehashed, - "signature_algorithm": signature_algorithm, - "marshaling_algorithm": marshaling_algorithm, - "salt_length": salt_length, - "batch_input": batch_input, - } - ) - ) - - api_path = utils.format_url( - "/v1/{mount_point}/sign/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def verify_signed_data( - self, - name, - hash_input, - signature=None, - hmac=None, - hash_algorithm=None, - context=None, - prehashed=None, - signature_algorithm=None, - salt_length=None, - marshaling_algorithm=None, - mount_point=DEFAULT_MOUNT_POINT, - ): - """Return whether the provided signature is valid for the given data. - - Supported methods: - POST: /{mount_point}/verify/{name}(/{hash_algorithm}). Produces: 200 application/json - - :param name: Specifies the name of the encryption key that was used to generate the signature or HMAC. - :type name: str | unicode - :param hash_input: Specifies the base64 encoded input data. - :type input: str | unicode - :param signature: Specifies the signature output from the /transit/sign function. Either this must be supplied - or hmac must be supplied. - :type signature: str | unicode - :param hmac: Specifies the signature output from the /transit/hmac function. Either this must be supplied or - signature must be supplied. - :type hmac: str | unicode - :param hash_algorithm: Specifies the hash algorithm to use. This can also be specified as part of the URL. - Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512 - :type hash_algorithm: str | unicode - :param context: Base64 encoded context for key derivation. Required if key derivation is enabled; currently only - available with ed25519 keys. - :type context: str | unicode - :param prehashed: Set to true when the input is already hashed. If the key type is rsa-2048 or rsa-4096, then - the algorithm used to hash the input should be indicated by the hash_algorithm parameter. - :type prehashed: bool - :param signature_algorithm: When using a RSA key, specifies the RSA signature algorithm to use for signature - verification. Supported signature types are: pss, pkcs1v15 - :type signature_algorithm: str | unicode - :param marshaling_algorithm: Specifies the way in which the signature should be marshaled. This currently only applies to ECDSA keys. - Supported types are: asn1, jws - :type marshaling_algorithm: str | unicode - :param salt_length: The salt length used to sign. Currently only applies to the RSA PSS signature scheme. - Options are 'auto' (the default used by Golang, causing the salt to be as large as possible when signing), - 'hash' (causes the salt length to equal the length of the hash used in the signature), - or an integer between the minimum and the maximum permissible salt lengths for the given RSA key size. - Defaults to 'auto'. - :type salt_length: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - if (signature is None and hmac is None) or ( - signature is not None and hmac is not None - ): - error_msg = 'either "signature" or "hmac" argument (but not both) must be provided to verify signature' - raise exceptions.ParamValidationError(error_msg) - if ( - hash_algorithm is not None - and hash_algorithm not in transit_constants.ALLOWED_HASH_DATA_ALGORITHMS - ): - error_msg = 'invalid hash_algorithm argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=hash_algorithm, - allowed_types=", ".join( - transit_constants.ALLOWED_HASH_DATA_ALGORITHMS - ), - ) - ) - if ( - signature_algorithm is not None - and signature_algorithm - not in transit_constants.ALLOWED_SIGNATURE_ALGORITHMS - ): - error_msg = 'invalid signature_algorithm argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=signature_algorithm, - allowed_types=", ".join( - transit_constants.ALLOWED_SIGNATURE_ALGORITHMS - ), - ) - ) - if ( - marshaling_algorithm is not None - and marshaling_algorithm - not in transit_constants.ALLOWED_MARSHALING_ALGORITHMS - ): - error_msg = 'invalid marshaling_algorithm argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=marshaling_algorithm, - allowed_types=", ".join( - transit_constants.ALLOWED_MARSHALING_ALGORITHMS - ), - ) - ) - if ( - salt_length is not None - and not transit_constants.ALLOWED_SALT_LENGTHS.fullmatch(salt_length) - ): - error_msg = 'invalid salt_length argument provided "{arg}", supported types: "{allowed_types}"' - raise exceptions.ParamValidationError( - error_msg.format( - arg=salt_length, - allowed_types=transit_constants.ALLOWED_SALT_LENGTHS.pattern, - ) - ) - params = { - "name": name, - "input": hash_input, - } - params.update( - utils.remove_nones( - { - "hash_algorithm": hash_algorithm, - "signature": signature, - "hmac": hmac, - "context": context, - "prehashed": prehashed, - "signature_algorithm": signature_algorithm, - "marshaling_algorithm": marshaling_algorithm, - "salt_length": salt_length, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/verify/{name}", mount_point=mount_point, name=name - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def backup_key(self, name, mount_point=DEFAULT_MOUNT_POINT): - """Return a plaintext backup of a named key. - - The backup contains all the configuration data and keys of all the versions along with the HMAC key. The - response from this endpoint can be used with the /restore endpoint to restore the key. - - Supported methods: - GET: /{mount_point}/backup/{name}. Produces: 200 application/json - - :param name: Name of the key. - :type name: str | unicode - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/{mount_point}/backup/{name}", - mount_point=mount_point, - name=name, - ) - return self._adapter.get( - url=api_path, - ) - - def restore_key( - self, backup, name=None, force=None, mount_point=DEFAULT_MOUNT_POINT - ): - """Restore the backup as a named key. - - This will restore the key configurations and all the versions of the named key along with HMAC keys. The input - to this endpoint should be the output of /backup endpoint. For safety, by default the backend will refuse to - restore to an existing key. If you want to reuse a key name, it is recommended you delete the key before - restoring. It is a good idea to attempt restoring to a different key name first to verify that the operation - successfully completes. - - Supported methods: - POST: /{mount_point}/restore(/name). Produces: 204 (empty body) - - :param backup: Backed up key data to be restored. This should be the output from the /backup endpoint. - :type backup: str | unicode - :param name: If set, this will be the name of the restored key. - :type name: str | unicode - :param force: If set, force the restore to proceed even if a key by this name already exists. - :type force: bool - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "backup": backup, - } - params.update( - utils.remove_nones( - { - "force": force, - } - ) - ) - api_path = utils.format_url( - "/v1/{mount_point}/restore", mount_point=mount_point - ) - if name is not None: - api_path = self._adapter.urljoin(api_path, name) - return self._adapter.post( - url=api_path, - json=params, - ) - - def trim_key(self, name, min_version, mount_point=DEFAULT_MOUNT_POINT): - """Trims older key versions setting a minimum version for the keyring. - - Once trimmed, previous versions of the key cannot be recovered. - - Supported methods: - POST: /{mount_point}/keys/{name}/trim. Produces: 200 application/json - - :param name: Specifies the name of the key to be trimmed. - :type name: str | unicode - :param min_version: The minimum version for the key ring. All versions before this version will be permanently - deleted. This value can at most be equal to the lesser of min_decryption_version and min_encryption_version. - This is not allowed to be set when either min_encryption_version or min_decryption_version is set to zero. - :type min_version: int - :param mount_point: The "path" the method/backend was mounted on. - :type mount_point: str | unicode - :return: The response of the request. - :rtype: dict - """ - params = { - "min_available_version": min_version, - } - api_path = utils.format_url( - "/v1/{mount_point}/keys/{name}/trim", - mount_point=mount_point, - name=name, - ) - return self._adapter.post( - url=api_path, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__init__.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__init__.py deleted file mode 100644 index 970a5dc..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__init__.py +++ /dev/null @@ -1,85 +0,0 @@ -"""Collection of Vault system backend API endpoint classes.""" -import logging - -from hvac.api.system_backend.audit import Audit -from hvac.api.system_backend.auth import Auth -from hvac.api.system_backend.capabilities import Capabilities -from hvac.api.system_backend.health import Health -from hvac.api.system_backend.init import Init -from hvac.api.system_backend.key import Key -from hvac.api.system_backend.leader import Leader -from hvac.api.system_backend.lease import Lease -from hvac.api.system_backend.mount import Mount -from hvac.api.system_backend.namespace import Namespace -from hvac.api.system_backend.policies import Policies -from hvac.api.system_backend.policy import Policy -from hvac.api.system_backend.quota import Quota -from hvac.api.system_backend.raft import Raft -from hvac.api.system_backend.seal import Seal -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin -from hvac.api.system_backend.wrapping import Wrapping -from hvac.api.vault_api_category import VaultApiCategory - -__all__ = ( - "Audit", - "Auth", - "Capabilities", - "Health", - "Init", - "Key", - "Leader", - "Lease", - "Mount", - "Namespace", - "Policies", - "Policy", - "Quota", - "Raft", - "Seal", - "SystemBackend", - "SystemBackendMixin", - "Wrapping", -) - - -logger = logging.getLogger(__name__) - - -class SystemBackend( - VaultApiCategory, - Audit, - Auth, - Capabilities, - Health, - Init, - Key, - Leader, - Lease, - Mount, - Namespace, - Policies, - Policy, - Quota, - Raft, - Seal, - Wrapping, -): - implemented_classes = [ - Audit, - Auth, - Capabilities, - Health, - Init, - Key, - Leader, - Lease, - Mount, - Namespace, - Policies, - Policy, - Quota, - Raft, - Seal, - Wrapping, - ] - unimplemented_classes = [] diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/__init__.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/__init__.cpython-312.pyc deleted file mode 100644 index 9d964ec..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/__init__.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/audit.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/audit.cpython-312.pyc deleted file mode 100644 index 20aca3e..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/audit.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/auth.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/auth.cpython-312.pyc deleted file mode 100644 index 2d0127c..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/auth.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/capabilities.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/capabilities.cpython-312.pyc deleted file mode 100644 index 123547d..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/capabilities.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/health.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/health.cpython-312.pyc deleted file mode 100644 index bf83504..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/health.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/init.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/init.cpython-312.pyc deleted file mode 100644 index 9ede413..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/init.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/key.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/key.cpython-312.pyc deleted file mode 100644 index 48a4f4f..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/key.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/leader.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/leader.cpython-312.pyc deleted file mode 100644 index 729648a..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/leader.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/lease.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/lease.cpython-312.pyc deleted file mode 100644 index e548a91..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/lease.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/mount.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/mount.cpython-312.pyc deleted file mode 100644 index daecbea..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/mount.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/namespace.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/namespace.cpython-312.pyc deleted file mode 100644 index 5fd6bd5..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/namespace.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/policies.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/policies.cpython-312.pyc deleted file mode 100644 index 565d0c3..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/policies.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/policy.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/policy.cpython-312.pyc deleted file mode 100644 index d827a25..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/policy.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/quota.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/quota.cpython-312.pyc deleted file mode 100644 index 3d975ca..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/quota.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/raft.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/raft.cpython-312.pyc deleted file mode 100644 index eb58c41..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/raft.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/seal.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/seal.cpython-312.pyc deleted file mode 100644 index 64bb413..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/seal.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/system_backend_mixin.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/system_backend_mixin.cpython-312.pyc deleted file mode 100644 index e0823ea..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/system_backend_mixin.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/wrapping.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/wrapping.cpython-312.pyc deleted file mode 100644 index 89727a1..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/__pycache__/wrapping.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/audit.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/audit.py deleted file mode 100644 index 22869bb..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/audit.py +++ /dev/null @@ -1,104 +0,0 @@ -#!/usr/bin/env python -"""Support for "Audit"-related System Backend Methods.""" -from hvac import utils -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Audit(SystemBackendMixin): - def list_enabled_audit_devices(self): - """List enabled audit devices. - - It does not list all available audit devices. - This endpoint requires sudo capability in addition to any path-specific capabilities. - - Supported methods: - GET: /sys/audit. Produces: 200 application/json - - :return: JSON response of the request. - :rtype: dict - """ - return self._adapter.get("/v1/sys/audit") - - def enable_audit_device( - self, device_type, description=None, options=None, path=None, local=None - ): - """Enable a new audit device at the supplied path. - - The path can be a single word name or a more complex, nested path. - - Supported methods: - PUT: /sys/audit/{path}. Produces: 204 (empty body) - - :param device_type: Specifies the type of the audit device. - :type device_type: str | unicode - :param description: Human-friendly description of the audit device. - :type description: str | unicode - :param options: Configuration options to pass to the audit device itself. This is - dependent on the audit device type. - :type options: str | unicode - :param path: Specifies the path in which to enable the audit device. This is part of - the request URL. - :type path: str | unicode - :param local: Specifies if the audit device is a local only. - :type local: bool - :return: The response of the request. - :rtype: requests.Response - """ - - if path is None: - path = device_type - - params = { - "type": device_type, - } - params.update( - utils.remove_nones( - { - "description": description, - "options": options, - "local": local, - } - ) - ) - - api_path = utils.format_url("/v1/sys/audit/{path}", path=path) - return self._adapter.post(url=api_path, json=params) - - def disable_audit_device(self, path): - """Disable the audit device at the given path. - - Supported methods: - DELETE: /sys/audit/{path}. Produces: 204 (empty body) - - :param path: The path of the audit device to delete. This is part of the request URL. - :type path: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/audit/{path}", path=path) - return self._adapter.delete( - url=api_path, - ) - - def calculate_hash(self, path, input_to_hash): - """Hash the given input data with the specified audit device's hash function and salt. - - This endpoint can be used to discover whether a given plaintext string (the input parameter) appears in the - audit log in obfuscated form. - - Supported methods: - POST: /sys/audit-hash/{path}. Produces: 204 (empty body) - - :param path: The path of the audit device to generate hashes for. This is part of the request URL. - :type path: str | unicode - :param input_to_hash: The input string to hash. - :type input_to_hash: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - params = { - "input": input_to_hash, - } - - api_path = utils.format_url("/v1/sys/audit-hash/{path}", path=path) - return self._adapter.post(url=api_path, json=params) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/auth.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/auth.py deleted file mode 100644 index f00b833..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/auth.py +++ /dev/null @@ -1,212 +0,0 @@ -#!/usr/bin/env python -"""Support for "Auth"-related System Backend Methods.""" -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin -from hvac.utils import validate_list_of_strings_param, list_to_comma_delimited -from hvac import exceptions, utils - - -class Auth(SystemBackendMixin): - def list_auth_methods(self): - """List all enabled auth methods. - - Supported methods: - GET: /sys/auth. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/auth" - return self._adapter.get( - url=api_path, - ) - - def enable_auth_method( - self, - method_type, - description=None, - config=None, - plugin_name=None, - local=False, - path=None, - **kwargs - ): - """Enable a new auth method. - - After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. - This auth path will be nested under the auth prefix. - - Supported methods: - POST: /sys/auth/{path}. Produces: 204 (empty body) - - :param method_type: The name of the authentication method type, such as "github" or "token". - :type method_type: str | unicode - :param description: A human-friendly description of the auth method. - :type description: str | unicode - :param config: Configuration options for this auth method. These are the possible values: - - * **default_lease_ttl**: The default lease duration, specified as a string duration like "5s" or "30m". - * **max_lease_ttl**: The maximum lease duration, specified as a string duration like "5s" or "30m". - * **audit_non_hmac_request_keys**: Comma-separated list of keys that will not be HMAC'd by audit devices in - the request data object. - * **audit_non_hmac_response_keys**: Comma-separated list of keys that will not be HMAC'd by audit devices in - the response data object. - * **listing_visibility**: Specifies whether to show this mount in the UI-specific listing endpoint. - * **passthrough_request_headers**: Comma-separated list of headers to whitelist and pass from the request to - the backend. - :type config: dict - :param plugin_name: The name of the auth plugin to use based from the name in the plugin catalog. Applies only - to plugin methods. - :type plugin_name: str | unicode - :param local: Specifies if the auth method is a local only. Local auth methods are not - replicated nor (if a secondary) removed by replication. - :type local: bool - :param path: The path to mount the method on. If not provided, defaults to the value of the "method_type" - argument. - :type path: str | unicode - :param kwargs: All dicts are accepted and passed to vault. See your specific secret engine for details on which - extra key-word arguments you might want to pass. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - if path is None: - path = method_type - - params = { - "type": method_type, - } - params.update( - utils.remove_nones( - { - "description": description, - "config": config, - "plugin_name": plugin_name, - "local": local, - } - ) - ) - params.update(kwargs) - api_path = utils.format_url("/v1/sys/auth/{path}", path=path) - return self._adapter.post(url=api_path, json=params) - - def disable_auth_method(self, path): - """Disable the auth method at the given auth path. - - Supported methods: - DELETE: /sys/auth/{path}. Produces: 204 (empty body) - - :param path: The path the method was mounted on. If not provided, defaults to the value of the "method_type" - argument. - :type path: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/auth/{path}", path=path) - return self._adapter.delete( - url=api_path, - ) - - def read_auth_method_tuning(self, path): - """Read the given auth path's configuration. - - This endpoint requires sudo capability on the final path, but the same functionality can be achieved without - sudo via sys/mounts/auth/[auth-path]/tune. - - Supported methods: - GET: /sys/auth/{path}/tune. Produces: 200 application/json - - :param path: The path the method was mounted on. If not provided, defaults to the value of the "method_type" - argument. - :type path: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url( - "/v1/sys/auth/{path}/tune", - path=path, - ) - return self._adapter.get( - url=api_path, - ) - - def tune_auth_method( - self, - path, - default_lease_ttl=None, - max_lease_ttl=None, - description=None, - audit_non_hmac_request_keys=None, - audit_non_hmac_response_keys=None, - listing_visibility=None, - passthrough_request_headers=None, - **kwargs - ): - """Tune configuration parameters for a given auth path. - - This endpoint requires sudo capability on the final path, but the same functionality can be achieved without - sudo via sys/mounts/auth/[auth-path]/tune. - - Supported methods: - POST: /sys/auth/{path}/tune. Produces: 204 (empty body) - - :param path: The path the method was mounted on. If not provided, defaults to the value of the "method_type" - argument. - :type path: str | unicode - :param default_lease_ttl: Specifies the default time-to-live. If set on a specific auth path, this overrides the - global default. - :type default_lease_ttl: int - :param max_lease_ttl: The maximum time-to-live. If set on a specific auth path, this overrides the global - default. - :type max_lease_ttl: int - :param description: Specifies the description of the mount. This overrides the current stored value, if any. - :type description: str | unicode - :param audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the - request data object. - :type audit_non_hmac_request_keys: array - :param audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the - response data object. - :type audit_non_hmac_response_keys: list - :param listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. Valid - values are "unauth" or "". - :type listing_visibility: list - :param passthrough_request_headers: List of headers to whitelist and pass from the request to the backend. - :type passthrough_request_headers: list - :param kwargs: All dicts are accepted and passed to vault. See your specific secret engine for details on which - extra key-word arguments you might want to pass. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - - if listing_visibility is not None and listing_visibility not in ["unauth", ""]: - error_msg = 'invalid listing_visibility argument provided: "{arg}"; valid values: "unauth" or ""'.format( - arg=listing_visibility, - ) - raise exceptions.ParamValidationError(error_msg) - - # All parameters are optional for this method. Until/unless we include input validation, we simply loop over the - # parameters and add which parameters are set. - optional_parameters = { - "default_lease_ttl": {}, - "max_lease_ttl": {}, - "description": {}, - "audit_non_hmac_request_keys": dict(comma_delimited_list=True), - "audit_non_hmac_response_keys": dict(comma_delimited_list=True), - "listing_visibility": {}, - "passthrough_request_headers": dict(comma_delimited_list=True), - } - params = {} - for optional_parameter, parameter_specification in optional_parameters.items(): - if locals().get(optional_parameter) is not None: - if parameter_specification.get("comma_delimited_list"): - argument = locals().get(optional_parameter) - validate_list_of_strings_param(optional_parameter, argument) - params[optional_parameter] = list_to_comma_delimited(argument) - else: - params[optional_parameter] = locals().get(optional_parameter) - params.update(kwargs) - api_path = utils.format_url("/v1/sys/auth/{path}/tune", path=path) - return self._adapter.post( - url=api_path, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/capabilities.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/capabilities.py deleted file mode 100644 index 0d25c23..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/capabilities.py +++ /dev/null @@ -1,43 +0,0 @@ -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Capabilities(SystemBackendMixin): - def get_capabilities(self, paths, token=None, accessor=None): - """Get the capabilities associated with a token. - - Supported methods: - POST: /sys/capabilities-self. Produces: 200 application/json - POST: /sys/capabilities. Produces: 200 application/json - POST: /sys/capabilities-accessor. Produces: 200 application/json - - :param paths: Paths on which capabilities are being queried. - :type paths: List[str] - :param token: Token for which capabilities are being queried. - :type token: str - :param accessor: Accessor of the token for which capabilities are being queried. - :type accessor: str - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "paths": paths, - } - - if token and accessor: - raise ValueError("You can specify either token or accessor, not both.") - elif token: - # https://www.vaultproject.io/api/system/capabilities.html - params["token"] = token - api_path = "/v1/sys/capabilities" - elif accessor: - # https://www.vaultproject.io/api/system/capabilities-accessor.html - params["accessor"] = accessor - api_path = "/v1/sys/capabilities-accessor" - else: - # https://www.vaultproject.io/api/system/capabilities-self.html - api_path = "/v1/sys/capabilities-self" - - return self._adapter.post( - url=api_path, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/health.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/health.py deleted file mode 100644 index b3e35c0..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/health.py +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/env python -"""Support for "Health"-related System Backend Methods.""" -from hvac import exceptions, utils -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Health(SystemBackendMixin): - """. - - Reference: https://www.vaultproject.io/api-docs/system/health - """ - - def read_health_status( - self, - standby_ok=None, - active_code=None, - standby_code=None, - dr_secondary_code=None, - performance_standby_code=None, - sealed_code=None, - uninit_code=None, - method="HEAD", - ): - """Read the health status of Vault. - - This matches the semantics of a Consul HTTP health check and provides a simple way to monitor the health of a - Vault instance. - - - :param standby_ok: Specifies if being a standby should still return the active status code instead of the - standby status code. This is useful when Vault is behind a non-configurable load balance that just wants a - 200-level response. - :type standby_ok: bool - :param active_code: The status code that should be returned for an active node. - :type active_code: int - :param standby_code: Specifies the status code that should be returned for a standby node. - :type standby_code: int - :param dr_secondary_code: Specifies the status code that should be returned for a DR secondary node. - :type dr_secondary_code: int - :param performance_standby_code: Specifies the status code that should be returned for a performance standby - node. - :type performance_standby_code: int - :param sealed_code: Specifies the status code that should be returned for a sealed node. - :type sealed_code: int - :param uninit_code: Specifies the status code that should be returned for a uninitialized node. - :type uninit_code: int - :param method: Supported methods: - HEAD: /sys/health. Produces: 000 (empty body) - GET: /sys/health. Produces: 000 application/json - :type method: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "standbyok": standby_ok, - "activecode": active_code, - "standbycode": standby_code, - "drsecondarycode": dr_secondary_code, - "performancestandbycode": performance_standby_code, - "sealedcode": sealed_code, - "uninitcode": uninit_code, - } - ) - - if method == "HEAD": - api_path = utils.format_url("/v1/sys/health") - return self._adapter.head( - url=api_path, - raise_exception=False, - ) - elif method == "GET": - api_path = utils.format_url("/v1/sys/health") - return self._adapter.get( - url=api_path, - params=params, - raise_exception=False, - ) - else: - error_message = '"method" parameter provided invalid value; HEAD or GET allowed, "{method}" provided'.format( - method=method - ) - raise exceptions.ParamValidationError(error_message) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/init.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/init.py deleted file mode 100644 index 3c4e232..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/init.py +++ /dev/null @@ -1,146 +0,0 @@ -import warnings -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin -from hvac.exceptions import ParamValidationError - - -class Init(SystemBackendMixin): - def read_init_status(self): - """Read the initialization status of Vault. - - Supported methods: - GET: /sys/init. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/init" - return self._adapter.get( - url=api_path, - ) - - def is_initialized(self): - """Determine is Vault is initialized or not. - - :return: True if Vault is initialized, False otherwise. - :rtype: bool - """ - status = self.read_init_status() - return status["initialized"] - - def initialize( - self, - secret_shares=None, - secret_threshold=None, - pgp_keys=None, - root_token_pgp_key=None, - stored_shares=None, - recovery_shares=None, - recovery_threshold=None, - recovery_pgp_keys=None, - ): - """Initialize a new Vault. - - The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, - are only available when using Vault HSM. - - Supported methods: - PUT: /sys/init. Produces: 200 application/json - - :param secret_shares: The number of shares to split the master key into. - :type secret_shares: int - :param secret_threshold: Specifies the number of shares required to reconstruct the master key. This must be - less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as - secret_shares, or omitted, depending on the version of Vault and the seal type. - :type secret_threshold: int - :param pgp_keys: List of PGP public keys used to encrypt the output unseal keys. - Ordering is preserved. The keys must be base64-encoded from their original binary representation. - The size of this array must be the same as secret_shares. - :type pgp_keys: list - :param root_token_pgp_key: Specifies a PGP public key used to encrypt the initial root token. The - key must be base64-encoded from its original binary representation. - :type root_token_pgp_key: str | unicode - :param stored_shares: Specifies the number of shares that should be encrypted by the HSM and - stored for auto-unsealing. Currently must be the same as secret_shares. - :type stored_shares: int - :param recovery_shares: Specifies the number of shares to split the recovery key into. - :type recovery_shares: int - :param recovery_threshold: Specifies the number of shares required to reconstruct the recovery - key. This must be less than or equal to recovery_shares. - :type recovery_threshold: int - :param recovery_pgp_keys: Specifies an array of PGP public keys used to encrypt the output - recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary - representation. The size of this array must be the same as recovery_shares. - :type recovery_pgp_keys: list - :return: The JSON response of the request. - :rtype: dict - """ - - # TODO(v3.0.0): remove this - if recovery_shares is None and secret_shares is None: - msg = ( - "The secret_shares parameter will default to None in hvac v3.0.0. " - "To use the old default with no warning, explicitly set this value to 5. " - "See https://github.com/hvac/hvac/issues/1030" - ) - warnings.warn( - message=msg, - category=DeprecationWarning, - stacklevel=2, - ) - secret_shares = 5 - - # TODO(v3.0.0): remove this - if recovery_threshold is None and secret_threshold is None: - msg = ( - "The secret_threshold parameter will default to None in hvac v3.0.0. " - "To use the old default with no warning, explicitly set this value to 3. " - "See https://github.com/hvac/hvac/issues/1030" - ) - warnings.warn( - message=msg, - category=DeprecationWarning, - stacklevel=2, - ) - secret_threshold = 3 - - params = { - "secret_shares": secret_shares, - "secret_threshold": secret_threshold, - "root_token_pgp_key": root_token_pgp_key, - } - - if pgp_keys is not None and secret_shares is not None: - if len(pgp_keys) != secret_shares: - raise ParamValidationError( - "length of pgp_keys list argument must equal secret_shares value" - ) - params["pgp_keys"] = pgp_keys - - if stored_shares is not None and secret_shares is not None: - if stored_shares != secret_shares: - raise ParamValidationError( - "value for stored_shares argument must equal secret_shares argument" - ) - params["stored_shares"] = stored_shares - - if recovery_shares is not None: - params["recovery_shares"] = recovery_shares - - if recovery_threshold is not None: - if recovery_threshold > recovery_shares: - error_msg = "value for recovery_threshold argument must be less than or equal to recovery_shares argument" - raise ParamValidationError(error_msg) - params["recovery_threshold"] = recovery_threshold - - if recovery_pgp_keys is not None: - if len(recovery_pgp_keys) != recovery_shares: - raise ParamValidationError( - "length of recovery_pgp_keys list argument must equal recovery_shares value" - ) - params["recovery_pgp_keys"] = recovery_pgp_keys - - api_path = "/v1/sys/init" - return self._adapter.put( - url=api_path, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/key.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/key.py deleted file mode 100644 index 16b86e7..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/key.py +++ /dev/null @@ -1,407 +0,0 @@ -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin -from hvac.exceptions import ParamValidationError - - -class Key(SystemBackendMixin): - def read_root_generation_progress(self): - """Read the configuration and process of the current root generation attempt. - - Supported methods: - GET: /sys/generate-root/attempt. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/generate-root/attempt" - return self._adapter.get( - url=api_path, - ) - - def start_root_token_generation(self, otp=None, pgp_key=None): - """Initialize a new root generation attempt. - - Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are - required. - - Supported methods: - PUT: /sys/generate-root/attempt. Produces: 200 application/json - - :param otp: Specifies a base64-encoded 16-byte value. The raw bytes of the token will be XOR'd with this value - before being returned to the final unseal key provider. - :type otp: str | unicode - :param pgp_key: Specifies a base64-encoded PGP public key. The raw bytes of the token will be encrypted with - this value before being returned to the final unseal key provider. - :type pgp_key: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = {} - if otp is not None and pgp_key is not None: - raise ParamValidationError( - "one (and only one) of otp or pgp_key arguments are required" - ) - if otp is not None: - params["otp"] = otp - if pgp_key is not None: - params["pgp_key"] = pgp_key - - api_path = "/v1/sys/generate-root/attempt" - return self._adapter.put(url=api_path, json=params) - - def generate_root(self, key, nonce): - """Enter a single master key share to progress the root generation attempt. - - If the threshold number of master key shares is reached, Vault will complete the root generation and issue the - new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must - be provided with each call. - - Supported methods: - PUT: /sys/generate-root/update. Produces: 200 application/json - - :param key: Specifies a single master key share. - :type key: str | unicode - :param nonce: The nonce of the attempt. - :type nonce: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "key": key, - "nonce": nonce, - } - api_path = "/v1/sys/generate-root/update" - return self._adapter.put( - url=api_path, - json=params, - ) - - def cancel_root_generation(self): - """Cancel any in-progress root generation attempt. - - This clears any progress made. This must be called to change the OTP or PGP key being used. - - Supported methods: - DELETE: /sys/generate-root/attempt. Produces: 204 (empty body) - - :return: The response of the request. - :rtype: request.Response - """ - api_path = "/v1/sys/generate-root/attempt" - return self._adapter.delete( - url=api_path, - ) - - def get_encryption_key_status(self): - """Read information about the current encryption key used by Vault. - - Supported methods: - GET: /sys/key-status. Produces: 200 application/json - - :return: JSON response with information regarding the current encryption key used by Vault. - :rtype: dict - """ - api_path = "/v1/sys/key-status" - return self._adapter.get( - url=api_path, - ) - - def rotate_encryption_key(self): - """Trigger a rotation of the backend encryption key. - - This is the key that is used to encrypt data written to the storage backend, and is not provided to operators. - This operation is done online. Future values are encrypted with the new key, while old values are decrypted with - previous encryption keys. - - This path requires sudo capability in addition to update. - - Supported methods: - PUT: /sys/rorate. Produces: 204 (empty body) - - :return: The response of the request. - :rtype: requests.Response - """ - api_path = "/v1/sys/rotate" - return self._adapter.put( - url=api_path, - ) - - def read_rekey_progress(self, recovery_key=False): - """Read the configuration and progress of the current rekey attempt. - - Supported methods: - GET: /sys/rekey-recovery-key/init. Produces: 200 application/json - GET: /sys/rekey/init. Produces: 200 application/json - - :param recovery_key: If true, send requests to "rekey-recovery-key" instead of "rekey" api path. - :type recovery_key: bool - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = "/v1/sys/rekey/init" - if recovery_key: - api_path = "/v1/sys/rekey-recovery-key/init" - return self._adapter.get( - url=api_path, - ) - - def start_rekey( - self, - secret_shares=5, - secret_threshold=3, - pgp_keys=None, - backup=False, - require_verification=False, - recovery_key=False, - ): - """Initializes a new rekey attempt. - - Only a single recovery key rekeyattempt can take place at a time, and changing the parameters of a rekey - requires canceling and starting a new rekey, which will also provide a new nonce. - - Supported methods: - PUT: /sys/rekey/init. Produces: 204 (empty body) - PUT: /sys/rekey-recovery-key/init. Produces: 204 (empty body) - - :param secret_shares: Specifies the number of shares to split the master key into. - :type secret_shares: int - :param secret_threshold: Specifies the number of shares required to reconstruct the master key. This must be - less than or equal to secret_shares. - :type secret_threshold: int - :param pgp_keys: Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is - preserved. The keys must be base64-encoded from their original binary representation. The size of this array - must be the same as secret_shares. - :type pgp_keys: list - :param backup: Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the - PGP-encrypted keys at core/unseal-keys-backup in the physical storage backend. These can then be retrieved - and removed via the sys/rekey/backup endpoint. - :type backup: bool - :param require_verification: This turns on verification functionality. When verification is turned on, after - successful authorization with the current unseal keys, the new unseal keys are returned but the master key - is not actually rotated. The new keys must be provided to authorize the actual rotation of the master key. - This ensures that the new keys have been successfully saved and protects against a risk of the keys being - lost after rotation but before they can be persisted. This can be used with without pgp_keys, and when used - with it, it allows ensuring that the returned keys can be successfully decrypted before committing to the - new shares, which the backup functionality does not provide. - :param recovery_key: If true, send requests to "rekey-recovery-key" instead of "rekey" api path. - :type recovery_key: bool - :type require_verification: bool - :return: The JSON dict of the response. - :rtype: dict | request.Response - """ - params = { - "secret_shares": secret_shares, - "secret_threshold": secret_threshold, - "require_verification": require_verification, - } - - if pgp_keys: - if len(pgp_keys) != secret_shares: - raise ParamValidationError( - "length of pgp_keys argument must equal secret shares value" - ) - - params["pgp_keys"] = pgp_keys - params["backup"] = backup - - api_path = "/v1/sys/rekey/init" - if recovery_key: - api_path = "/v1/sys/rekey-recovery-key/init" - return self._adapter.put( - url=api_path, - json=params, - ) - - def cancel_rekey(self, recovery_key=False): - """Cancel any in-progress rekey. - - This clears the rekey settings as well as any progress made. This must be called to change the parameters of the - rekey. - - Note: Verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current - unseal keys remain valid. - - Supported methods: - DELETE: /sys/rekey/init. Produces: 204 (empty body) - DELETE: /sys/rekey-recovery-key/init. Produces: 204 (empty body) - - :param recovery_key: If true, send requests to "rekey-recovery-key" instead of "rekey" api path. - :type recovery_key: bool - :return: The response of the request. - :rtype: requests.Response - """ - api_path = "/v1/sys/rekey/init" - if recovery_key: - api_path = "/v1/sys/rekey-recovery-key/init" - return self._adapter.delete( - url=api_path, - ) - - def rekey(self, key, nonce=None, recovery_key=False): - """Enter a single recovery key share to progress the rekey of the Vault. - - If the threshold number of recovery key shares is reached, Vault will complete the rekey. Otherwise, this API - must be called multiple times until that threshold is met. The rekey nonce operation must be provided with each - call. - - Supported methods: - PUT: /sys/rekey/update. Produces: 200 application/json - PUT: /sys/rekey-recovery-key/update. Produces: 200 application/json - - :param key: Specifies a single recovery share key. - :type key: str | unicode - :param nonce: Specifies the nonce of the rekey operation. - :type nonce: str | unicode - :param recovery_key: If true, send requests to "rekey-recovery-key" instead of "rekey" api path. - :type recovery_key: bool - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "key": key, - } - - if nonce is not None: - params["nonce"] = nonce - - api_path = "/v1/sys/rekey/update" - if recovery_key: - api_path = "/v1/sys/rekey-recovery-key/update" - return self._adapter.put( - url=api_path, - json=params, - ) - - def rekey_multi(self, keys, nonce=None, recovery_key=False): - """Enter multiple recovery key shares to progress the rekey of the Vault. - - If the threshold number of recovery key shares is reached, Vault will complete the rekey. - - :param keys: Specifies multiple recovery share keys. - :type keys: list - :param nonce: Specifies the nonce of the rekey operation. - :type nonce: str | unicode - :param recovery_key: If true, send requests to "rekey-recovery-key" instead of "rekey" api path. - :type recovery_key: bool - :return: The last response of the rekey request. - :rtype: response.Request - """ - result = None - - for key in keys: - result = self.rekey( - key=key, - nonce=nonce, - recovery_key=recovery_key, - ) - if result.get("complete"): - break - - return result - - def read_backup_keys(self, recovery_key=False): - """Retrieve the backup copy of PGP-encrypted unseal keys. - - The returned value is the nonce of the rekey operation and a map of PGP key fingerprint to hex-encoded - PGP-encrypted key. - - Supported methods: - PUT: /sys/rekey/backup. Produces: 200 application/json - PUT: /sys/rekey-recovery-key/backup. Produces: 200 application/json - - :param recovery_key: If true, send requests to "rekey-recovery-key" instead of "rekey" api path. - :type recovery_key: bool - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/rekey/backup" - if recovery_key: - api_path = "/v1/sys/rekey/recovery-key-backup" - return self._adapter.get( - url=api_path, - ) - - def cancel_rekey_verify(self): - """Cancel any in-progress rekey verification. - This clears any progress made and resets the nonce. Unlike cancel_rekey, this only resets - the current verification operation, not the entire rekey atttempt. - The return value is the same as GET along with the new nonce. - - Supported methods: - DELETE: /sys/rekey/verify. Produces: 204 (empty body) - - :return: The response of the request. - :rtype: requests.Response - """ - api_path = "/v1/sys/rekey/verify" - return self._adapter.delete( - url=api_path, - ) - - def rekey_verify(self, key, nonce): - """Enter a single new recovery key share to progress the rekey verification of the Vault. - If the threshold number of new recovery key shares is reached, Vault will complete the - rekey. Otherwise, this API must be called multiple times until that threshold is met. - The rekey verification nonce must be provided with each call. - - Supported methods: - PUT: /sys/rekey/verify. Produces: 200 application/json - - :param key: Specifies multiple recovery share keys. - :type key: str | unicode - :param nonce: Specifies the nonce of the rekey verify operation. - :type nonce: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = { - "key": key, - "nonce": nonce, - } - - api_path = "/v1/sys/rekey/verify" - return self._adapter.put( - url=api_path, - json=params, - ) - - def rekey_verify_multi(self, keys, nonce): - """Enter multiple new recovery key shares to progress the rekey verification of the Vault. - If the threshold number of new recovery key shares is reached, Vault will complete the - rekey. Otherwise, this API must be called multiple times until that threshold is met. - The rekey verification nonce must be provided with each call. - - Supported methods: - PUT: /sys/rekey/verify. Produces: 200 application/json - - :param keys: Specifies multiple recovery share keys. - :type keys: list - :param nonce: Specifies the nonce of the rekey verify operation. - :type nonce: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - result = None - - for key in keys: - result = self.rekey_verify( - key=key, - nonce=nonce, - ) - if result.get("complete"): - break - - return result - - def read_rekey_verify_progress(self): - """Read the configuration and progress of the current rekey verify attempt. - - Supported methods: - GET: /sys/rekey/verify. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = "/v1/sys/rekey/verify" - return self._adapter.get( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/leader.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/leader.py deleted file mode 100644 index 9366bc8..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/leader.py +++ /dev/null @@ -1,35 +0,0 @@ -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Leader(SystemBackendMixin): - def read_leader_status(self): - """Read the high availability status and current leader instance of Vault. - - Supported methods: - GET: /sys/leader. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/leader" - return self._adapter.get( - url=api_path, - ) - - def step_down(self): - """Force the node to give up active status. - - When executed against a non-active node, i.e. a standby or performance - standby node, the request will be forwarded to the active node. - Note that the node will sleep for ten seconds before attempting to grab - the active lock again, but if no standby nodes grab the active lock in - the interim, the same node may become the active node again. Requires a - token with root policy or sudo capability on the path. - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/step-down" - return self._adapter.put( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/lease.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/lease.py deleted file mode 100644 index 6df50c5..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/lease.py +++ /dev/null @@ -1,131 +0,0 @@ -from hvac import utils -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Lease(SystemBackendMixin): - def read_lease(self, lease_id): - """Retrieve lease metadata. - - Supported methods: - PUT: /sys/leases/lookup. Produces: 200 application/json - - :param lease_id: the ID of the lease to lookup. - :type lease_id: str | unicode - :return: Parsed JSON response from the leases PUT request - :rtype: dict. - """ - params = {"lease_id": lease_id} - api_path = "/v1/sys/leases/lookup" - return self._adapter.put(url=api_path, json=params) - - def list_leases(self, prefix): - """Retrieve a list of lease ids. - - Supported methods: - LIST: /sys/leases/lookup/{prefix}. Produces: 200 application/json - - :param prefix: Lease prefix to filter list by. - :type prefix: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - api_path = utils.format_url("/v1/sys/leases/lookup/{prefix}", prefix=prefix) - return self._adapter.list( - url=api_path, - ) - - def renew_lease(self, lease_id, increment=None): - """Renew a lease, requesting to extend the lease. - - Supported methods: - PUT: /sys/leases/renew. Produces: 200 application/json - - :param lease_id: The ID of the lease to extend. - :type lease_id: str | unicode - :param increment: The requested amount of time (in seconds) to extend the lease. - :type increment: int - :return: The JSON response of the request - :rtype: dict - """ - params = { - "lease_id": lease_id, - "increment": increment, - } - api_path = "/v1/sys/leases/renew" - return self._adapter.put( - url=api_path, - json=params, - ) - - def revoke_lease(self, lease_id): - """Revoke a lease immediately. - - Supported methods: - PUT: /sys/leases/revoke. Produces: 204 (empty body) - - :param lease_id: Specifies the ID of the lease to revoke. - :type lease_id: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "lease_id": lease_id, - } - api_path = "/v1/sys/leases/revoke" - return self._adapter.put( - url=api_path, - json=params, - ) - - def revoke_prefix(self, prefix): - """Revoke all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given - prefix immediately. - - This requires sudo capability and access to it should be tightly controlled as it can be used to revoke very - large numbers of secrets/tokens at once. - - Supported methods: - PUT: /sys/leases/revoke-prefix/{prefix}. Produces: 204 (empty body) - - - :param prefix: The prefix to revoke. - :type prefix: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "prefix": prefix, - } - api_path = utils.format_url( - "/v1/sys/leases/revoke-prefix/{prefix}", prefix=prefix - ) - return self._adapter.put( - url=api_path, - json=params, - ) - - def revoke_force(self, prefix): - """Revoke all secrets or tokens generated under a given prefix immediately. - - Unlike revoke_prefix, this path ignores backend errors encountered during revocation. This is potentially very - dangerous and should only be used in specific emergency situations where errors in the backend or the connected - backend service prevent normal revocation. - - Supported methods: - PUT: /sys/leases/revoke-force/{prefix}. Produces: 204 (empty body) - - :param prefix: The prefix to revoke. - :type prefix: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "prefix": prefix, - } - api_path = utils.format_url( - "/v1/sys/leases/revoke-force/{prefix}", prefix=prefix - ) - return self._adapter.put( - url=api_path, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/mount.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/mount.py deleted file mode 100644 index 6cd34b0..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/mount.py +++ /dev/null @@ -1,239 +0,0 @@ -from hvac import utils -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Mount(SystemBackendMixin): - def list_mounted_secrets_engines(self): - """Lists all the mounted secrets engines. - - Supported methods: - POST: /sys/mounts. Produces: 200 application/json - - :return: JSON response of the request. - :rtype: dict - """ - return self._adapter.get("/v1/sys/mounts") - - def retrieve_mount_option(self, mount_point, option_name, default_value=None): - secrets_engine_path = f"{mount_point}/" - secrets_engines_list = self.list_mounted_secrets_engines()["data"] - mount_options = secrets_engines_list[secrets_engine_path].get("options") - if mount_options is None: - return default_value - - return mount_options.get(option_name, default_value) - - def enable_secrets_engine( - self, - backend_type, - path=None, - description=None, - config=None, - plugin_name=None, - options=None, - local=False, - seal_wrap=False, - **kwargs, - ): - """Enable a new secrets engine at the given path. - - Supported methods: - POST: /sys/mounts/{path}. Produces: 204 (empty body) - - :param backend_type: The name of the backend type, such as "github" or "token". - :type backend_type: str | unicode - :param path: The path to mount the method on. If not provided, defaults to the value of the "backend_type" - argument. - :type path: str | unicode - :param description: A human-friendly description of the mount. - :type description: str | unicode - :param config: Configuration options for this mount. These are the possible values: - - * **default_lease_ttl**: The default lease duration, specified as a string duration like "5s" or "30m". - * **max_lease_ttl**: The maximum lease duration, specified as a string duration like "5s" or "30m". - * **force_no_cache**: Disable caching. - * **plugin_name**: The name of the plugin in the plugin catalog to use. - * **audit_non_hmac_request_keys**: Comma-separated list of keys that will not be HMAC'd by audit devices in - the request data object. - * **audit_non_hmac_response_keys**: Comma-separated list of keys that will not be HMAC'd by audit devices in - the response data object. - * **listing_visibility**: Specifies whether to show this mount in the UI-specific listing endpoint. ("unauth" or "hidden") - * **passthrough_request_headers**: Comma-separated list of headers to whitelist and pass from the request to - the backend. - :type config: dict - :param options: Specifies mount type specific options that are passed to the backend. - - * **version**: The version of the KV to mount. Set to "2" for mount KV v2. - :type options: dict - :param plugin_name: Specifies the name of the plugin to use based from the name in the plugin catalog. Applies only to plugin backends. - :type plugin_name: str | unicode - :param local: Specifies if the auth method is a local only. Local auth methods are not - replicated nor (if a secondary) removed by replication. - :type local: bool - :param seal_wrap: Enable seal wrapping for the mount. - :type seal_wrap: bool - :param kwargs: All dicts are accepted and passed to vault. See your specific secret engine for details on which - extra key-word arguments you might want to pass. - :type kwargs: dict - :return: The response of the request. - :rtype: requests.Response - """ - if path is None: - path = backend_type - - params = { - "type": backend_type, - "description": description, - "config": config, - "options": options, - "plugin_name": plugin_name, - "local": local, - "seal_wrap": seal_wrap, - } - - params.update(kwargs) - - api_path = utils.format_url("/v1/sys/mounts/{path}", path=path) - return self._adapter.post( - url=api_path, - json=params, - ) - - def disable_secrets_engine(self, path): - """Disable the mount point specified by the provided path. - - Supported methods: - DELETE: /sys/mounts/{path}. Produces: 204 (empty body) - - :param path: Specifies the path where the secrets engine will be mounted. This is specified as part of the URL. - :type path: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/mounts/{path}", path=path) - return self._adapter.delete( - url=api_path, - ) - - def read_mount_configuration(self, path): - """Read the given mount's configuration. - - Unlike the mounts endpoint, this will return the current time in seconds for each TTL, which may be the system - default or a mount-specific value. - - Supported methods: - GET: /sys/mounts/{path}/tune. Produces: 200 application/json - - :param path: Specifies the path where the secrets engine will be mounted. This is specified as part of the URL. - :type path: str | unicode - :return: The JSON response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/mounts/{path}/tune", path=path) - return self._adapter.get( - url=api_path, - ) - - def tune_mount_configuration( - self, - path, - default_lease_ttl=None, - max_lease_ttl=None, - description=None, - audit_non_hmac_request_keys=None, - audit_non_hmac_response_keys=None, - listing_visibility=None, - passthrough_request_headers=None, - options=None, - force_no_cache=None, - **kwargs, - ): - """Tune configuration parameters for a given mount point. - - Supported methods: - POST: /sys/mounts/{path}/tune. Produces: 204 (empty body) - - :param path: Specifies the path where the secrets engine will be mounted. This is specified as part of the URL. - :type path: str | unicode - :param mount_point: The path the associated secret backend is mounted - :type mount_point: str - :param description: Specifies the description of the mount. This overrides the current stored value, if any. - :type description: str - :param default_lease_ttl: Default time-to-live. This overrides the global default. A value of 0 is equivalent to - the system default TTL - :type default_lease_ttl: int - :param max_lease_ttl: Maximum time-to-live. This overrides the global default. A value of 0 are equivalent and - set to the system max TTL. - :type max_lease_ttl: int - :param audit_non_hmac_request_keys: Specifies the comma-separated list of keys that will not be HMAC'd by audit - devices in the request data object. - :type audit_non_hmac_request_keys: list - :param audit_non_hmac_response_keys: Specifies the comma-separated list of keys that will not be HMAC'd by audit - devices in the response data object. - :type audit_non_hmac_response_keys: list - :param listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. Valid - values are "unauth" or "". - :type listing_visibility: str - :param passthrough_request_headers: Comma-separated list of headers to whitelist and pass from the request - to the backend. - :type passthrough_request_headers: str - :param options: Specifies mount type specific options that are passed to the backend. - - * **version**: The version of the KV to mount. Set to "2" for mount KV v2. - :type options: dict - :param force_no_cache: Disable caching. - :type force_no_cache: bool - :param kwargs: All dicts are accepted and passed to vault. See your specific secret engine for details on which - extra key-word arguments you might want to pass. - :type kwargs: dict - :return: The response from the request. - :rtype: request.Response - """ - # All parameters are optional for this method. Until/unless we include input validation, we simply loop over the - # parameters and add which parameters are set. - optional_parameters = [ - "default_lease_ttl", - "max_lease_ttl", - "description", - "audit_non_hmac_request_keys", - "audit_non_hmac_response_keys", - "listing_visibility", - "passthrough_request_headers", - "force_no_cache", - "options", - ] - params = {} - for optional_parameter in optional_parameters: - if locals().get(optional_parameter) is not None: - params[optional_parameter] = locals().get(optional_parameter) - - params.update(kwargs) - - api_path = utils.format_url("/v1/sys/mounts/{path}/tune", path=path) - return self._adapter.post( - url=api_path, - json=params, - ) - - def move_backend(self, from_path, to_path): - """Move an already-mounted backend to a new mount point. - - Supported methods: - POST: /sys/remount. Produces: 204 (empty body) - - :param from_path: Specifies the previous mount point. - :type from_path: str | unicode - :param to_path: Specifies the new destination mount point. - :type to_path: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "from": from_path, - "to": to_path, - } - api_path = "/v1/sys/remount" - return self._adapter.post( - url=api_path, - json=params, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/namespace.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/namespace.py deleted file mode 100644 index d69c76a..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/namespace.py +++ /dev/null @@ -1,46 +0,0 @@ -from hvac import utils -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Namespace(SystemBackendMixin): - def create_namespace(self, path): - """Create a namespace at the given path. - - Supported methods: - POST: /sys/namespaces/{path}. Produces: 200 application/json - - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/namespaces/{path}", path=path) - return self._adapter.post( - url=api_path, - ) - - def list_namespaces(self): - """Lists all the namespaces. - - Supported methods: - LIST: /sys/namespaces. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/namespaces/" - return self._adapter.list( - url=api_path, - ) - - def delete_namespace(self, path): - """Delete a namespaces. You cannot delete a namespace with existing child namespaces. - - Supported methods: - DELETE: /sys/namespaces. Produces: 204 (empty body) - - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/namespaces/{path}", path=path) - return self._adapter.delete( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/policies.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/policies.py deleted file mode 100644 index 8551a5c..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/policies.py +++ /dev/null @@ -1,236 +0,0 @@ -import json - -from hvac import utils -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Policies(SystemBackendMixin): - def list_acl_policies(self): - """List all configured acl policies. - - Supported methods: - GET: /sys/policies/acl. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/policies/acl" - return self._adapter.list( - url=api_path, - ) - - def read_acl_policy(self, name): - """Retrieve the policy body for the named acl policy. - - Supported methods: - GET: /sys/policies/acl/{name}. Produces: 200 application/json - - :param name: The name of the acl policy to retrieve. - :type name: str | unicode - :return: The response of the request - :rtype: dict - """ - api_path = utils.format_url("/v1/sys/policies/acl/{name}", name=name) - return self._adapter.get( - url=api_path, - ) - - def create_or_update_acl_policy(self, name, policy, pretty_print=True): - """Add a new or update an existing acl policy. - - Once a policy is updated, it takes effect immediately to all associated users. - - Supported methods: - PUT: /sys/policies/acl/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the policy to create. - :type name: str | unicode - :param policy: Specifies the policy to create or update. - :type policy: str | unicode | dict - :param pretty_print: If True, and provided a dict for the policy argument, send the policy JSON to Vault with - "pretty" formatting. - :type pretty_print: bool - :return: The response of the request. - :rtype: requests.Response - """ - if isinstance(policy, dict): - if pretty_print: - policy = json.dumps(policy, indent=4, sort_keys=True) - else: - policy = json.dumps(policy) - params = { - "policy": policy, - } - api_path = utils.format_url(f"/v1/sys/policies/acl/{name}", name=name) - return self._adapter.put( - url=api_path, - json=params, - ) - - def delete_acl_policy(self, name): - """Delete the acl policy with the given name. - - This will immediately affect all users associated with this policy. - - Supported methods: - DELETE: /sys/policies/acl/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the policy to delete. - :type name: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/policies/acl/{name}", name=name) - return self._adapter.delete( - url=api_path, - ) - - def list_rgp_policies(self): - """List all configured rgp policies. - - Supported methods: - GET: /sys/policies/rgp. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/policies/rgp" - return self._adapter.list( - url=api_path, - ) - - def read_rgp_policy(self, name): - """Retrieve the policy body for the named rgp policy. - - Supported methods: - GET: /sys/policies/rgp/{name}. Produces: 200 application/json - - :param name: The name of the rgp policy to retrieve. - :type name: str | unicode - :return: The response of the request - :rtype: dict - """ - api_path = utils.format_url("/v1/sys/policies/rgp/{name}", name=name) - return self._adapter.get( - url=api_path, - ) - - def create_or_update_rgp_policy(self, name, policy, enforcement_level): - """Add a new or update an existing rgp policy. - - Once a policy is updated, it takes effect immediately to all associated users. - - Supported methods: - PUT: /sys/policies/rgp/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the policy to create. - :type name: str | unicode - :param policy: Specifies the policy to create or update. - :type policy: str | unicode - :param enforcement_level: Specifies the enforcement level to use. This must be one of advisory, soft-mandatory, or hard-mandatory - :type enforcement_level: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - params = {"policy": policy, "enforcement_level": enforcement_level} - api_path = utils.format_url(f"/v1/sys/policies/rgp/{name}", name=name) - return self._adapter.put( - url=api_path, - json=params, - ) - - def delete_rgp_policy(self, name): - """Delete the rgp policy with the given name. - - This will immediately affect all users associated with this policy. - - Supported methods: - DELETE: /sys/policies/rgp/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the policy to delete. - :type name: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/policies/rgp/{name}", name=name) - return self._adapter.delete( - url=api_path, - ) - - def list_egp_policies(self): - """List all configured egp policies. - - Supported methods: - GET: /sys/policies/egp. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/policies/egp" - return self._adapter.list( - url=api_path, - ) - - def read_egp_policy(self, name): - """Retrieve the policy body for the named egp policy. - - Supported methods: - GET: /sys/policies/egp/{name}. Produces: 200 application/json - - :param name: The name of the egp policy to retrieve. - :type name: str | unicode - :return: The response of the request - :rtype: dict - """ - api_path = utils.format_url("/v1/sys/policies/egp/{name}", name=name) - return self._adapter.get( - url=api_path, - ) - - def create_or_update_egp_policy(self, name, policy, enforcement_level, paths): - """Add a new or update an existing egp policy. - - Once a policy is updated, it takes effect immediately to all associated users. - - Supported methods: - PUT: /sys/policies/egp/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the policy to create. - :type name: str | unicode - :param policy: Specifies the policy to create or update. - :type policy: str | unicode - :param enforcement_level: Specifies the enforcement level to use. This must be one of advisory, soft-mandatory, or hard-mandatory - :type enforcement_level: str | unicode - :param paths: Specifies the paths on which this EGP should be applied. - :type paths: list - :return: The response of the request. - :rtype: requests.Response - """ - params = { - "policy": policy, - "enforcement_level": enforcement_level, - "paths": paths, - } - api_path = utils.format_url(f"/v1/sys/policies/egp/{name}", name=name) - return self._adapter.put( - url=api_path, - json=params, - ) - - def delete_egp_policy(self, name): - """Delete the egp policy with the given name. - - This will immediately affect all users associated with this policy. - - Supported methods: - DELETE: /sys/policies/egp/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the policy to delete. - :type name: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/policies/egp/{name}", name=name) - return self._adapter.delete( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/policy.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/policy.py deleted file mode 100644 index b27441c..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/policy.py +++ /dev/null @@ -1,86 +0,0 @@ -import json - -from hvac import utils -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Policy(SystemBackendMixin): - def list_policies(self): - """List all configured policies. - - Supported methods: - GET: /sys/policy. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/policy" - return self._adapter.get( - url=api_path, - ) - - def read_policy(self, name): - """Retrieve the policy body for the named policy. - - Supported methods: - GET: /sys/policy/{name}. Produces: 200 application/json - - :param name: The name of the policy to retrieve. - :type name: str | unicode - :return: The response of the request - :rtype: dict - """ - api_path = utils.format_url("/v1/sys/policy/{name}", name=name) - return self._adapter.get( - url=api_path, - ) - - def create_or_update_policy(self, name, policy, pretty_print=True): - """Add a new or update an existing policy. - - Once a policy is updated, it takes effect immediately to all associated users. - - Supported methods: - PUT: /sys/policy/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the policy to create. - :type name: str | unicode - :param policy: Specifies the policy document. - :type policy: str | unicode | dict - :param pretty_print: If True, and provided a dict for the policy argument, send the policy JSON to Vault with - "pretty" formatting. - :type pretty_print: bool - :return: The response of the request. - :rtype: requests.Response - """ - if isinstance(policy, dict): - if pretty_print: - policy = json.dumps(policy, indent=4, sort_keys=True) - else: - policy = json.dumps(policy) - params = { - "policy": policy, - } - api_path = utils.format_url("/v1/sys/policy/{name}", name=name) - return self._adapter.put( - url=api_path, - json=params, - ) - - def delete_policy(self, name): - """Delete the policy with the given name. - - This will immediately affect all users associated with this policy. - - Supported methods: - DELETE: /sys/policy/{name}. Produces: 204 (empty body) - - :param name: Specifies the name of the policy to delete. - :type name: str | unicode - :return: The response of the request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/policy/{name}", name=name) - return self._adapter.delete( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/quota.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/quota.py deleted file mode 100644 index 40228e3..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/quota.py +++ /dev/null @@ -1,101 +0,0 @@ -from hvac import utils -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Quota(SystemBackendMixin): - def read_quota(self, name): - """Read quota. Only works when calling on the root namespace. - - Supported methods: - GET: /sys/quotas/rate-limit/:name. Produces: 200 application/json - - :param name: the name of the quota to look up. - :type name: str | unicode - :return: JSON response from API request. - :rtype: requests.Response - """ - api_path = utils.format_url(f"/v1/sys/quotas/rate-limit/{name}", name=name) - return self._adapter.get(url=api_path) - - def list_quotas(self): - """Retrieve a list of quotas by name. Only works when calling on the root namespace. - - Supported methods: - LIST: /sys/quotas/rate-limit. Produces: 200 application/json - - :return: JSON response from API request. - :rtype: requests.Response - """ - api_path = "/v1/sys/quotas/rate-limit" - return self._adapter.list( - url=api_path, - ) - - def create_or_update_quota( - self, - name, - rate, - path=None, - interval=None, - block_interval=None, - role=None, - rate_limit_type=None, - inheritable=None, - ): - """Create quota if it doesn't exist or update if already created. Only works when calling on the root namespace. - - Supported methods: - POST: /sys/quotas/rate-limit. Produces: 204 (empty body) - - :param name: The name of the quota to create or update. - :type name: str | unicode - :param path: Path of the mount or namespace to apply the quota. - :type path: str | unicode - :param rate: The maximum number of requests in a given interval to be allowed. Must be positive. - :type rate: float - :param interval: The duration to enforce rate limit. Default is "1s". - :type interval: str | unicode - :param block_interval: If rate limit is reached, how long before client can send requests again. - :type block_interval: str | unicode - :param role: If quota is set on an auth mount path, restrict login requests that are made with a specified role. - :type role: str | unicode - :param rate_limit_type: Type of rate limit quota. Can be lease-count or rate-limit. - :type rate_limit_type: str | unicode - :param inheritable: If set to true on a path that is a namespace, quota will be applied to all child namespaces - :type inheritable: bool - :return: API status code from request. - :rtype: requests.Response - """ - api_path = utils.format_url("/v1/sys/quotas/rate-limit/{name}", name=name) - params = utils.remove_nones( - { - "name": name, - "path": path, - "rate": rate, - "interval": interval, - "block_interval": block_interval, - "role": role, - "type": rate_limit_type, - "inheritable": inheritable, - } - ) - return self._adapter.post( - url=api_path, - json=params, - ) - - def delete_quota(self, name): - """Delete a given quota. Only works when calling on the root namespace. - - Supported methods: - DELETE: /sys/quotas/rate-limit. Produces: 204 (empty body) - - :param name: Name of the quota to delete - :type name: str | unicode - :return: API status code from request. - :rtype: requests.Response - """ - api_path = utils.format_url(f"/v1/sys/quotas/rate-limit/{name}", name=name) - return self._adapter.delete( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/raft.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/raft.py deleted file mode 100644 index 0720c9c..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/raft.py +++ /dev/null @@ -1,253 +0,0 @@ -#!/usr/bin/env python -"""Raft methods module.""" -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin -from hvac import utils, adapters - - -class Raft(SystemBackendMixin): - """Raft cluster-related system backend methods. - - When using Shamir seal, as soon as the Vault server is brought up, this API should be invoked - instead of sys/init. This API completes in 2 phases. Once this is invoked, the joining node - will receive a challenge from the Raft's leader node. This challenge can be answered by the - joining node only after a successful unseal. Hence, the joining node should be unsealed using - the unseal keys of the Raft's leader node. - - Reference: https://www.vaultproject.io/api-docs/system/storage/raft - """ - - def join_raft_cluster( - self, - leader_api_addr, - retry=False, - leader_ca_cert=None, - leader_client_cert=None, - leader_client_key=None, - ): - """Join a new server node to the Raft cluster. - - When using Shamir seal, as soon as the Vault server is brought up, this API should be invoked - instead of sys/init. This API completes in 2 phases. Once this is invoked, the joining node will - receive a challenge from the Raft's leader node. This challenge can be answered by the joining - node only after a successful unseal. Hence, the joining node should be unsealed using the unseal - keys of the Raft's leader node. - - Supported methods: - POST: /sys/storage/raft/join. - - :param leader_api_addr: Address of the leader node in the Raft cluster to which this node is trying to join. - :type leader_api_addr: str | unicode - :param retry: Retry joining the Raft cluster in case of failures. - :type retry: bool - :param leader_ca_cert: CA certificate used to communicate with Raft's leader node. - :type leader_ca_cert: str | unicode - :param leader_client_cert: Client certificate used to communicate with Raft's leader node. - :type leader_client_cert: str | unicode - :param leader_client_key: Client key used to communicate with Raft's leader node. - :type leader_client_key: str | unicode - :return: The response of the join_raft_cluster request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "leader_api_addr": leader_api_addr, - "retry": retry, - "leader_ca_cert": leader_ca_cert, - "leader_client_cert": leader_client_cert, - "leader_client_key": leader_client_key, - } - ) - api_path = "/v1/sys/storage/raft/join" - return self._adapter.post( - url=api_path, - json=params, - ) - - def read_raft_config(self): - """Read the details of all the nodes in the raft cluster. - - Supported methods: - GET: /sys/storage/raft/configuration. - - :return: The response of the read_raft_config request. - :rtype: requests.Response - """ - api_path = "/v1/sys/storage/raft/configuration" - return self._adapter.get( - url=api_path, - ) - - def remove_raft_node(self, server_id): - """Remove a node from the raft cluster. - - Supported methods: - POST: /sys/storage/raft/remove-peer. - - :param server_id: The ID of the node to remove. - :type server_id: str - :return: The response of the remove_raft_node request. - :rtype: requests.Response - """ - params = { - "server_id": server_id, - } - api_path = "/v1/sys/storage/raft/remove-peer" - return self._adapter.post( - url=api_path, - json=params, - ) - - def take_raft_snapshot(self): - """Returns a snapshot of the current state of the raft cluster. - - The snapshot is returned as binary data and should be redirected to a file. - - This endpoint will ignore your chosen adapter and always uses a RawAdapter. - - Supported methods: - GET: /sys/storage/raft/snapshot. - - :return: The response of the snapshot request. - :rtype: requests.Response - """ - api_path = "/v1/sys/storage/raft/snapshot" - raw_adapter = adapters.RawAdapter.from_adapter(self._adapter) - return raw_adapter.get( - url=api_path, - stream=True, - ) - - def restore_raft_snapshot(self, snapshot): - """Install the provided snapshot, returning the cluster to the state defined in it. - - Supported methods: - POST: /sys/storage/raft/snapshot. - - :param snapshot: Previously created raft snapshot / binary data. - :type snapshot: bytes - :return: The response of the restore_raft_snapshot request. - :rtype: requests.Response - """ - api_path = "/v1/sys/storage/raft/snapshot" - return self._adapter.post( - url=api_path, - data=snapshot, - ) - - def force_restore_raft_snapshot(self, snapshot): - """Installs the provided snapshot, returning the cluster to the state defined in it. - - This is same as writing to /sys/storage/raft/snapshot except that this bypasses checks - ensuring the Autounseal or shamir keys are consistent with the snapshot data. - - Supported methods: - POST: /sys/storage/raft/snapshot-force. - - :param snapshot: Previously created raft snapshot / binary data. - :type snapshot: bytes - :return: The response of the force_restore_raft_snapshot request. - :rtype: requests.Response - """ - api_path = "/v1/sys/storage/raft/snapshot-force" - return self._adapter.post( - url=api_path, - data=snapshot, - ) - - def read_raft_auto_snapshot_status(self, name): - """Read the status of the raft auto snapshot. - - Supported methods: - GET: /sys/storage/raft/snapshot-auto/status/:name. Produces: 200 application/json - - :param name: The name of the snapshot configuration. - :type name: str - :return: The response of the read_raft_auto_snapshot_status request. - :rtype: requests.Response - """ - api_path = f"/v1/sys/storage/raft/snapshot-auto/status/{name}" - return self._adapter.get( - url=api_path, - ) - - def read_raft_auto_snapshot_config(self, name): - """Read the configuration of the raft auto snapshot. - - Supported methods: - GET: /sys/storage/raft/snapshot-auto/config/:name. Produces: 200 application/json - - :param name: The name of the snapshot configuration. - :type name: str - :return: The response of the read_raft_auto_snapshot_config request. - :rtype: requests.Response - """ - api_path = f"/v1/sys/storage/raft/snapshot-auto/config/{name}" - return self._adapter.get( - url=api_path, - ) - - def list_raft_auto_snapshot_configs(self): - """List the configurations of the raft auto snapshot. - - Supported methods: - LIST: /sys/storage/raft/snapshot-auto/config. Produces: 200 application/json - - :return: The response of the list_raft_auto_snapshot_configs request. - :rtype: requests.Response - """ - api_path = "/v1/sys/storage/raft/snapshot-auto/config" - return self._adapter.list( - url=api_path, - ) - - def create_or_update_raft_auto_snapshot_config( - self, name, interval, storage_type, retain=1, **kwargs - ): - """Create or update the configuration of the raft auto snapshot. - - Supported methods: - POST: /sys/storage/raft/snapshot-auto/config/:name. Produces: 204 application/json - - :param name: The name of the snapshot configuration. - :type name: str - :param interval: The interval at which snapshots should be taken. - :type interval: str - :param storage_type: The type of storage to use for the snapshot. - :type storage_type: str - :param retain: The number of snapshots to retain. Default is 1 - :type retain: int - :param kwargs: Additional parameters to send in the request. Should be params specific to the storage type. - :type kwargs: dict - :return: The response of the create_or_update_raft_auto_snapshot_config request. - :rtype: requests.Response - """ - params = utils.remove_nones( - { - "interval": interval, - "storage_type": storage_type, - "retain": retain, - **kwargs, - } - ) - - api_path = f"/v1/sys/storage/raft/snapshot-auto/config/{name}" - return self._adapter.post( - url=api_path, - json=params, - ) - - def delete_raft_auto_snapshot_config(self, name): - """Delete the configuration of the raft auto snapshot. - - Supported methods: - DELETE: /sys/storage/raft/snapshot-auto/config/:name. Produces: 204 application/json - - :param name: The name of the snapshot configuration. - :type name: str - :return: The response of the delete_raft_auto_snapshot_config request. - :rtype: requests.Response - """ - api_path = f"/v1/sys/storage/raft/snapshot-auto/config/{name}" - return self._adapter.delete( - url=api_path, - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/seal.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/seal.py deleted file mode 100644 index 9ce2f5f..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/seal.py +++ /dev/null @@ -1,104 +0,0 @@ -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Seal(SystemBackendMixin): - def is_sealed(self): - """Determine if Vault is sealed. - - :return: True if Vault is seal, False otherwise. - :rtype: bool - """ - seal_status = self.read_seal_status() - return seal_status["sealed"] - - def read_seal_status(self): - """Read the seal status of the Vault. - - This is an unauthenticated endpoint. - - Supported methods: - GET: /sys/seal-status. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - api_path = "/v1/sys/seal-status" - return self._adapter.get( - url=api_path, - ) - - def seal(self): - """Seal the Vault. - - In HA mode, only an active node can be sealed. Standby nodes should be restarted to get the same effect. - Requires a token with root policy or sudo capability on the path. - - Supported methods: - PUT: /sys/seal. Produces: 204 (empty body) - - :return: The response of the request. - :rtype: requests.Response - """ - api_path = "/v1/sys/seal" - return self._adapter.put( - url=api_path, - ) - - def submit_unseal_key(self, key=None, reset=False, migrate=False): - """Enter a single master key share to progress the unsealing of the Vault. - - If the threshold number of master key shares is reached, Vault will attempt to unseal the Vault. Otherwise, this - API must be called multiple times until that threshold is met. - - Either the key or reset parameter must be provided; if both are provided, reset takes precedence. - - Supported methods: - PUT: /sys/unseal. Produces: 200 application/json - - :param key: Specifies a single master key share. This is required unless reset is true. - :type key: str | unicode - :param reset: Specifies if previously-provided unseal keys are discarded and the unseal process is reset. - :type reset: bool - :param migrate: Available in 1.0 Beta - Used to migrate the seal from shamir to autoseal or autoseal to shamir. - Must be provided on all unseal key calls. - :type: migrate: bool - :return: The JSON response of the request. - :rtype: dict - """ - - params = { - "migrate": migrate, - } - if not reset and key is not None: - params["key"] = key - elif reset: - params["reset"] = reset - - api_path = "/v1/sys/unseal" - return self._adapter.put( - url=api_path, - json=params, - ) - - def submit_unseal_keys(self, keys, migrate=False): - """Enter multiple master key share to progress the unsealing of the Vault. - - :param keys: List of master key shares. - :type keys: List[str] - :param migrate: Available in 1.0 Beta - Used to migrate the seal from shamir to autoseal or autoseal to shamir. - Must be provided on all unseal key calls. - :type: migrate: bool - :return: The JSON response of the last unseal request. - :rtype: dict - """ - result = None - - for key in keys: - result = self.submit_unseal_key( - key=key, - migrate=migrate, - ) - if not result["sealed"]: - break - - return result diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/system_backend_mixin.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/system_backend_mixin.py deleted file mode 100644 index 4520cfb..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/system_backend_mixin.py +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env python -import logging -from abc import ABCMeta - -from hvac.api.vault_api_base import VaultApiBase - -logger = logging.getLogger(__name__) - - -class SystemBackendMixin(VaultApiBase, metaclass=ABCMeta): - """Base class for System Backend API endpoints.""" diff --git a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/wrapping.py b/.venv/lib/python3.12/site-packages/hvac/api/system_backend/wrapping.py deleted file mode 100644 index 90fe9fb..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/system_backend/wrapping.py +++ /dev/null @@ -1,51 +0,0 @@ -from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin - - -class Wrapping(SystemBackendMixin): - def unwrap(self, token=None): - """Return the original response inside the given wrapping token. - - Unlike simply reading cubbyhole/response (which is deprecated), this endpoint provides additional validation - checks on the token, returns the original value on the wire rather than a JSON string representation of it, and - ensures that the response is properly audit-logged. - - Supported methods: - POST: /sys/wrapping/unwrap. Produces: 200 application/json - - :param token: Specifies the wrapping token ID. This is required if the client token is not the wrapping token. - Do not use the wrapping token in both locations. - :type token: str | unicode - :return: The JSON response of the request. - :rtype: dict - """ - params = {} - if token is not None: - params["token"] = token - - api_path = "/v1/sys/wrapping/unwrap" - return self._adapter.post( - url=api_path, - json=params, - ) - - def wrap(self, payload=None, ttl=60): - """Wraps a serializable dictionary inside a wrapping token. - - Supported methods: - POST: /sys/wrapping/wrap. Produces: 200 application/json - - :param payload: Specifies the data that should be wrapped inside the token. - :type payload: dict - :param ttl: The TTL of the returned wrapping token. - :type ttl: int - :return: The JSON response of the request. - :rtype: dict - """ - - if payload is None: - payload = {} - - api_path = "/v1/sys/wrapping/wrap" - return self._adapter.post( - url=api_path, json=payload, headers={"X-Vault-Wrap-TTL": "{}".format(ttl)} - ) diff --git a/.venv/lib/python3.12/site-packages/hvac/api/vault_api_base.py b/.venv/lib/python3.12/site-packages/hvac/api/vault_api_base.py deleted file mode 100644 index d73ac70..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/vault_api_base.py +++ /dev/null @@ -1,17 +0,0 @@ -"""Base class used by all hvac "api" classes.""" -import logging -from abc import ABCMeta - -logger = logging.getLogger(__name__) - - -class VaultApiBase(metaclass=ABCMeta): - """Base class for API endpoints.""" - - def __init__(self, adapter): - """Default api class constructor. - - :param adapter: Instance of :py:class:`hvac.adapters.Adapter`; used for performing HTTP requests. - :type adapter: hvac.adapters.Adapter - """ - self._adapter = adapter diff --git a/.venv/lib/python3.12/site-packages/hvac/api/vault_api_category.py b/.venv/lib/python3.12/site-packages/hvac/api/vault_api_category.py deleted file mode 100644 index f9424bd..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/api/vault_api_category.py +++ /dev/null @@ -1,100 +0,0 @@ -"""Base class used by all hvac api "category" classes.""" -import logging -from abc import ABCMeta, abstractmethod - -from hvac.api.vault_api_base import VaultApiBase - -logger = logging.getLogger(__name__) - - -class VaultApiCategory(VaultApiBase, metaclass=ABCMeta): - """Base class for API categories.""" - - def __init__(self, adapter): - """API Category class constructor. - - :param adapter: Instance of :py:class:`hvac.adapters.Adapter`; used for performing HTTP requests. - :type adapter: hvac.adapters.Adapter - """ - self._adapter = adapter - self.implemented_class_names = [] - for implemented_class in self.implemented_classes: - class_name = implemented_class.__name__.lower() - self.implemented_class_names.append(class_name) - auth_method_instance = implemented_class(adapter=adapter) - setattr(self, self.get_private_attr_name(class_name), auth_method_instance) - - super().__init__(adapter=adapter) - - def __getattr__(self, item): - """Get an instance of an class instance in this category where available. - - :param item: Name of the class being requested. - :type item: str | unicode - :return: The requested class instance where available. - :rtype: hvac.api.VaultApiBase - """ - if item == "implemented_class_names": - raise AttributeError - if item in self.implemented_class_names: - private_attr_name = self.get_private_attr_name(item) - return getattr(self, private_attr_name) - if item in [u.lower() for u in self.unimplemented_classes]: - raise NotImplementedError( - '"%s" auth method class not currently implemented.' % item - ) - raise AttributeError - - @property - def adapter(self): - """Retrieve the adapter instance under the "_adapter" property in use by this class. - - :return: The adapter instance in use by this class. - :rtype: hvac.adapters.Adapter - """ - return self._adapter - - @adapter.setter - def adapter(self, adapter): - """Sets the adapter instance under the "_adapter" property in use by this class. - - Also sets the adapter property for all implemented classes under this category. - - :param adapter: New adapter instance to set for this class and all implemented classes under this category. - :type adapter: hvac.adapters.Adapter - """ - self._adapter = adapter - for implemented_class in self.implemented_classes: - class_name = implemented_class.__name__.lower() - getattr(self, self.get_private_attr_name(class_name)).adapter = adapter - - @property - @abstractmethod - def implemented_classes(self): - """List of implemented classes under this category. - - :return: List of implemented classes under this category. - :rtype: List[hvac.api.VaultApiBase] - """ - raise NotImplementedError - - @property - def unimplemented_classes(self): - """List of known unimplemented classes under this category. - - :return: List of known unimplemented classes under this category. - :rtype: List[str] - """ - raise NotImplementedError - - @staticmethod - def get_private_attr_name(class_name): - """Helper method to prepend a leading underscore to a provided class name. - - :param class_name: Name of a class under this category. - :type class_name: str|unicode - :return: The private attribute label for the provided class. - :rtype: str - """ - private_attr_name = f"_{class_name}" - return private_attr_name diff --git a/.venv/lib/python3.12/site-packages/hvac/aws_utils.py b/.venv/lib/python3.12/site-packages/hvac/aws_utils.py deleted file mode 100644 index b17b84f..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/aws_utils.py +++ /dev/null @@ -1,81 +0,0 @@ -import hmac -from datetime import datetime -from hashlib import sha256 -import requests - - -class SigV4Auth: - def __init__(self, access_key, secret_key, session_token=None, region="us-east-1"): - self.access_key = access_key - self.secret_key = secret_key - self.session_token = session_token - self.region = region - - def add_auth(self, request): - timestamp = datetime.utcnow().strftime("%Y%m%dT%H%M%SZ") - request.headers["X-Amz-Date"] = timestamp - - if self.session_token: - request.headers["X-Amz-Security-Token"] = self.session_token - - # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html - canonical_headers = "".join( - f"{k.lower()}:{request.headers[k]}\n" for k in sorted(request.headers) - ) - signed_headers = ";".join(k.lower() for k in sorted(request.headers)) - payload_hash = sha256(request.body.encode("utf-8")).hexdigest() - canonical_request = "\n".join( - [request.method, "/", "", canonical_headers, signed_headers, payload_hash] - ) - - # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html - algorithm = "AWS4-HMAC-SHA256" - credential_scope = "/".join( - [timestamp[0:8], self.region, "sts", "aws4_request"] - ) - canonical_request_hash = sha256(canonical_request.encode("utf-8")).hexdigest() - string_to_sign = "\n".join( - [algorithm, timestamp, credential_scope, canonical_request_hash] - ) - - # https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html - key = f"AWS4{self.secret_key}".encode() - key = hmac.new(key, timestamp[0:8].encode("utf-8"), sha256).digest() - key = hmac.new(key, self.region.encode("utf-8"), sha256).digest() - key = hmac.new(key, b"sts", sha256).digest() - key = hmac.new(key, b"aws4_request", sha256).digest() - signature = hmac.new(key, string_to_sign.encode("utf-8"), sha256).hexdigest() - - # https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html - authorization = "{} Credential={}/{}, SignedHeaders={}, Signature={}".format( - algorithm, self.access_key, credential_scope, signed_headers, signature - ) - request.headers["Authorization"] = authorization - - -def generate_sigv4_auth_request(header_value=None): - """Helper function to prepare a AWS API request to subsequently generate a "AWS Signature Version 4" header. - - :param header_value: Vault allows you to require an additional header, X-Vault-AWS-IAM-Server-ID, to be present - to mitigate against different types of replay attacks. Depending on the configuration of the AWS auth - backend, providing a argument to this optional parameter may be required. - :type header_value: str - :return: A PreparedRequest instance, optionally containing the provided header value under a - 'X-Vault-AWS-IAM-Server-ID' header name pointed to AWS's simple token service with action "GetCallerIdentity" - :rtype: requests.PreparedRequest - """ - request = requests.Request( - method="POST", - url="https://sts.amazonaws.com/", - headers={ - "Content-Type": "application/x-www-form-urlencoded; charset=utf-8", - "Host": "sts.amazonaws.com", - }, - data="Action=GetCallerIdentity&Version=2011-06-15", - ) - - if header_value: - request.headers["X-Vault-AWS-IAM-Server-ID"] = header_value - - prepared_request = request.prepare() - return prepared_request diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/__init__.py b/.venv/lib/python3.12/site-packages/hvac/constants/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/__init__.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/__init__.cpython-312.pyc deleted file mode 100644 index c39958c..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/__init__.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/approle.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/approle.cpython-312.pyc deleted file mode 100644 index bf34faa..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/approle.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/aws.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/aws.cpython-312.pyc deleted file mode 100644 index 87a841b..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/aws.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/azure.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/azure.cpython-312.pyc deleted file mode 100644 index 5ec6cf4..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/azure.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/client.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/client.cpython-312.pyc deleted file mode 100644 index ad780a4..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/client.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/gcp.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/gcp.cpython-312.pyc deleted file mode 100644 index 4c9badd..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/gcp.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/identity.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/identity.cpython-312.pyc deleted file mode 100644 index 6c135ca..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/identity.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/transit.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/transit.cpython-312.pyc deleted file mode 100644 index cd5575c..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/constants/__pycache__/transit.cpython-312.pyc and /dev/null differ diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/approle.py b/.venv/lib/python3.12/site-packages/hvac/constants/approle.py deleted file mode 100644 index b3f202b..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/constants/approle.py +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env python -"""Constants related to the APPROLE auth method.""" - -DEFAULT_MOUNT_POINT = "approle" -ALLOWED_TOKEN_TYPES = [ - "service", - "batch", - "default", - "default-service", - "default-batch", -] diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/aws.py b/.venv/lib/python3.12/site-packages/hvac/constants/aws.py deleted file mode 100644 index 44ebcdd..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/constants/aws.py +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env python -"""Constants related to the AWS auth method and/or secrets engine.""" - -DEFAULT_MOUNT_POINT = "aws" -ALLOWED_CREDS_ENDPOINTS = ["creds", "sts"] -ALLOWED_CREDS_TYPES = ["iam_user", "assumed_role", "federation_token"] -ALLOWED_IAM_ALIAS_TYPES = ["role_id", "unique_id", "full_arn"] -ALLOWED_EC2_ALIAS_TYPES = ["role_id", "instance_id", "image_id"] diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/azure.py b/.venv/lib/python3.12/site-packages/hvac/constants/azure.py deleted file mode 100644 index d9fea67..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/constants/azure.py +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env python -"""Constants related to the Azure auth method and/or secrets engine.""" - -VALID_ENVIRONMENTS = [ - "AzurePublicCloud", - "AzureUSGovernmentCloud", - "AzureChinaCloud", - "AzureGermanCloud", -] diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/client.py b/.venv/lib/python3.12/site-packages/hvac/constants/client.py deleted file mode 100644 index c681c3c..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/constants/client.py +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env python -"""Constants related to the hvac.Client class.""" - -from os import getenv - -DEPRECATED_PROPERTIES = {} -# ^ this follows the format defined in utils.getattr_with_deprecated_properties -# example: -# { -# "old_property_one": { -# "to_be_removed_in_version": "99.0.0", -# "client_property": "auth", -# }, -# "old_property_two": { -# "to_be_removed_in_version": "99.0.0", -# "client_property": "secrets", -# "new_property": "new_property_two", -# }, -# } -# -# Result is that `client.old_property_one` will return the value of `client.auth.old_property_one`, -# and `client.old_property_two` will return `client.secrets.new_property_two`. - -DEFAULT_URL = "http://localhost:8200" -VAULT_CACERT = getenv("VAULT_CACERT") -VAULT_CAPATH = getenv("VAULT_CAPATH") -VAULT_CLIENT_CERT = getenv("VAULT_CLIENT_CERT") -VAULT_CLIENT_KEY = getenv("VAULT_CLIENT_KEY") diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/gcp.py b/.venv/lib/python3.12/site-packages/hvac/constants/gcp.py deleted file mode 100644 index 07e8d16..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/constants/gcp.py +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env python -"""Constants related to the GCP auth method and/or secrets engine.""" - -DEFAULT_MOUNT_POINT = "gcp" -ALLOWED_ROLE_TYPES = ["iam", "gce"] -ALLOWED_SECRETS_TYPES = ["access_token", "service_account_key"] -SERVICE_ACCOUNT_KEY_ALGORITHMS = [ - "KEY_ALG_UNSPECIFIED", - "KEY_ALG_RSA_1024", - "KEY_ALG_RSA_2048", -] -SERVICE_ACCOUNT_KEY_TYPES = [ - "TYPE_UNSPECIFIED", - "TYPE_PKCS12_FILE", - "TYPE_GOOGLE_CREDENTIALS_FILE", -] -GCP_CERTS_ENDPOINT = "https://www.googleapis.com/oauth2/v3/certs" diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/identity.py b/.venv/lib/python3.12/site-packages/hvac/constants/identity.py deleted file mode 100644 index c79b783..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/constants/identity.py +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env python -"""Constants related to the Identity secrets engine.""" - -ALLOWED_GROUP_TYPES = [ - "internal", - "external", -] -DEFAULT_MOUNT_POINT = "identity" diff --git a/.venv/lib/python3.12/site-packages/hvac/constants/transit.py b/.venv/lib/python3.12/site-packages/hvac/constants/transit.py deleted file mode 100644 index d79cd21..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/constants/transit.py +++ /dev/null @@ -1,52 +0,0 @@ -#!/usr/bin/env python -"""Constants related to the Transit secrets engine.""" - -import re - -ALLOWED_KEY_TYPES = [ - "aes256-gcm96", - "chacha20-poly1305", - "ed25519", - "ecdsa-p256", - "ecdsa-p384", - "ecdsa-p521", - "rsa-2048", - "rsa-3072", - "rsa-4096", -] - -ALLOWED_EXPORT_KEY_TYPES = [ - "encryption-key", - "signing-key", - "hmac-key", -] - -ALLOWED_DATA_KEY_TYPES = [ - "plaintext", - "wrapped", -] - -ALLOWED_DATA_KEY_BITS = [128, 256, 512] - -ALLOWED_HASH_DATA_ALGORITHMS = [ - "sha2-224", - "sha2-256", - "sha2-384", - "sha2-512", -] - -ALLOWED_HASH_DATA_FORMATS = ["hex", "base64"] - -ALLOWED_SIGNATURE_ALGORITHMS = [ - "pss", - "pkcs1v15", -] - -ALLOWED_MARSHALING_ALGORITHMS = [ - "asn1", - "jws", -] - -# https://github.com/hashicorp/vault/pull/16549 -# Either 'auto', 'hash', '-1', or any nonnegative integer. -ALLOWED_SALT_LENGTHS = re.compile(r"auto|hash|-1|\d+") diff --git a/.venv/lib/python3.12/site-packages/hvac/exceptions.py b/.venv/lib/python3.12/site-packages/hvac/exceptions.py deleted file mode 100644 index d17af46..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/exceptions.py +++ /dev/null @@ -1,85 +0,0 @@ -class VaultError(Exception): - def __init__( - self, message=None, errors=None, method=None, url=None, text=None, json=None - ): - if errors: - message = ", ".join(errors) - - self.errors = errors - self.method = method - self.url = url - self.text = text - self.json = json - - super().__init__(message) - - def __str__(self): - return f"{self.args[0]}, on {self.method} {self.url}" - - @classmethod - def from_status(cls, status_code: int, *args, **kwargs): - _STATUS_EXCEPTION_MAP = { - 400: InvalidRequest, - 401: Unauthorized, - 403: Forbidden, - 404: InvalidPath, - 429: RateLimitExceeded, - 500: InternalServerError, - 501: VaultNotInitialized, - 502: BadGateway, - 503: VaultDown, - } - - return _STATUS_EXCEPTION_MAP.get(status_code, UnexpectedError)(*args, **kwargs) - - -class InvalidRequest(VaultError): - pass - - -class Unauthorized(VaultError): - pass - - -class Forbidden(VaultError): - pass - - -class InvalidPath(VaultError): - pass - - -class UnsupportedOperation(VaultError): - pass - - -class PreconditionFailed(VaultError): - pass - - -class RateLimitExceeded(VaultError): - pass - - -class InternalServerError(VaultError): - pass - - -class VaultNotInitialized(VaultError): - pass - - -class VaultDown(VaultError): - pass - - -class UnexpectedError(VaultError): - pass - - -class BadGateway(VaultError): - pass - - -class ParamValidationError(VaultError): - pass diff --git a/.venv/lib/python3.12/site-packages/hvac/utils.py b/.venv/lib/python3.12/site-packages/hvac/utils.py deleted file mode 100644 index 60f2bec..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/utils.py +++ /dev/null @@ -1,460 +0,0 @@ -""" -Misc utility functions and constants -""" - -import functools -import inspect -import os -import warnings -from textwrap import dedent -import urllib - -from hvac import exceptions - - -def raise_for_error( - method, url, status_code, message=None, errors=None, text=None, json=None -): - """Helper method to raise exceptions based on the status code of a response received back from Vault. - - :param method: HTTP method of a request to Vault. - :type method: str - :param url: URL of the endpoint requested in Vault. - :type url: str - :param status_code: Status code received in a response from Vault. - :type status_code: int - :param message: Optional message to include in a resulting exception. - :type message: str - :param errors: Optional errors to include in a resulting exception. - :type errors: list | str - :param text: Optional text of the response. - :type text: str - :param json: Optional deserialized version of a JSON response (object) - :type json: object - - :raises: hvac.exceptions.InvalidRequest | hvac.exceptions.Unauthorized | hvac.exceptions.Forbidden | - hvac.exceptions.InvalidPath | hvac.exceptions.RateLimitExceeded | hvac.exceptions.InternalServerError | - hvac.exceptions.VaultNotInitialized | hvac.exceptions.BadGateway | hvac.exceptions.VaultDown | - hvac.exceptions.UnexpectedError - - """ - raise exceptions.VaultError.from_status( - status_code, - message, - errors=errors, - method=method, - url=url, - text=text, - json=json, - ) - - -def aliased_parameter( - name, *aliases, removed_in_version, position=None, raise_on_multiple=True -): - """A decorator that can be used to define one or more aliases for a parameter, - and optionally display a deprecation warning when aliases are used. - It can also optionally raise an exception if a value is supplied via multiple names. - LIMITATIONS: - If the canonical parameter can be specified unnamed (positionally), - then its position must be set to correctly detect multiple use and apply precedence. - To set multiple aliases with different values for the optional parameters, use the decorator multiple times with the same name. - This method will only work properly when the alias parameter is set as a keyword (named) arg, therefore the function in question - should ensure that any aliases come after \\*args or bare \\* (marking keyword-only arguments: https://peps.python.org/pep-3102/). - Note also that aliases do not have to appear in the original function's argument list. - - :param name: The canonical name of the parameter. - :type name: str - :param aliases: One or more alias names for the parameter. - :type aliases: str - :param removed_in_version: The version in which the alias will be removed. This should typically have a value. - In the rare case that an alias is not deprecated, set this to None. - :type removed_in_version: str | None - :param position: The 0-based position of the canonical argument if it could be specified positionally. Use None for a keyword-only (named) argument. - :type position: int - :param raise_on_multiple: When True (default), raise an exception if a value is supplied via multiple names. - :type raise_on_multiple: bool - """ - - def decorator(method): - @functools.wraps(method) - def wrapper(*args, **kwargs): - has_canonical = False - try: - kwargs[name] - except KeyError: - if position is not None: - try: - args[position] - except IndexError: - pass - else: - has_canonical = True - else: - has_canonical = True - - # At this point if has_canonical is True, we'll never use an alias value, - # but we're still looping so we can catch duplicates or deprecated aliases. - for alias in aliases: - if alias in kwargs: - # do deprecation before (potentially) raising on a duplicate to aid the user in choosing the right parameter. - if removed_in_version is not None: - deprecation_message = generate_parameter_deprecation_message( - to_be_removed_in_version=removed_in_version, - old_parameter_name=alias, - new_parameter_name=name, - ) - warnings.warn( - message=deprecation_message, - category=DeprecationWarning, - stacklevel=2, - ) - - if not (has_canonical or name in kwargs): - kwargs[name] = kwargs[alias] - else: - if raise_on_multiple: - raise ValueError( - f"Parameter '{name}' was given a duplicate value via alias '{alias}'." - ) - - del kwargs[alias] - - return method(*args, **kwargs) - - return wrapper - - return decorator - - -def generate_parameter_deprecation_message( - to_be_removed_in_version, - old_parameter_name, - new_parameter_name=None, - extra_notes=None, -): - """Generate a message to be used when warning about the use of deprecated paramers. - - :param to_be_removed_in_version: Version of this module the deprecated parameter will be removed in. - :type to_be_removed_in_version: str - :param old_parameter_name: Deprecated parameter name. - :type old_parameter_name: str - :param new_parameter_name: Parameter intended to replace the deprecated parameter, if applicable. - :type new_parameter_name: str | None - :param extra_notes: Optional freeform text used to provide additional context, alternatives, or notes. - :type extra_notes: str | None - :return: Full deprecation warning message for the indicated parameter. - :rtype: str - """ - - message = f"Value supplied for deprecated parameter '{old_parameter_name}'. This parameter will be removed in version '{to_be_removed_in_version}'." - if new_parameter_name is not None: - message += f" Please use the '{new_parameter_name}' parameter moving forward." - if extra_notes is not None: - message += f" {extra_notes}" - - return message - - -def generate_method_deprecation_message( - to_be_removed_in_version, old_method_name, method_name=None, module_name=None -): - """Generate a message to be used when warning about the use of deprecated methods. - - :param to_be_removed_in_version: Version of this module the deprecated method will be removed in. - :type to_be_removed_in_version: str - :param old_method_name: Deprecated method name. - :type old_method_name: str - :param method_name: Method intended to replace the deprecated method indicated. This method's docstrings are - included in the decorated method's docstring. - :type method_name: str - :param module_name: Name of the module containing the new method to use. - :type module_name: str - :return: Full deprecation warning message for the indicated method. - :rtype: str - """ - message = "Call to deprecated function '{old_method_name}'. This method will be removed in version '{version}'".format( - old_method_name=old_method_name, - version=to_be_removed_in_version, - ) - if method_name is not None and module_name is not None: - message += " Please use the '{method_name}' method on the '{module_name}' class moving forward.".format( - method_name=method_name, - module_name=module_name, - ) - return message - - -def generate_property_deprecation_message( - to_be_removed_in_version, old_name, new_name, new_attribute, module_name="Client" -): - """Generate a message to be used when warning about the use of deprecated properties. - - :param to_be_removed_in_version: Version of this module the deprecated property will be removed in. - :type to_be_removed_in_version: str - :param old_name: Deprecated property name. - :type old_name: str - :param new_name: Name of the new property name to use. - :type new_name: str - :param new_attribute: The new attribute where the new property can be found. - :type new_attribute: str - :param module_name: Name of the module containing the new method to use. - :type module_name: str - :return: Full deprecation warning message for the indicated property. - :rtype: str - """ - message = "Call to deprecated property '{name}'. This property will be removed in version '{version}'".format( - name=old_name, - version=to_be_removed_in_version, - ) - message += " Please use the '{new_name}' property on the '{module_name}.{new_attribute}' attribute moving forward.".format( - new_name=new_name, - module_name=module_name, - new_attribute=new_attribute, - ) - return message - - -def getattr_with_deprecated_properties(obj, item, deprecated_properties): - """Helper method to use in the getattr method of a class with deprecated properties. - - :param obj: Instance of the Class containing the deprecated properties in question. - :type obj: object - :param item: Name of the attribute being requested. - :type item: str - :param deprecated_properties: Dict of deprecated properties. Each key is the name of the old property. - Each value is a dict with at least a "to_be_removed_in_version" and "client_property" key to be - used in the displayed deprecation warning. An optional "new_property" key contains the name of - the new property within the "client_property", otherwise the original name is used. - :type deprecated_properties: Dict - :return: The new property indicated where available. - :rtype: object - """ - if item in deprecated_properties: - deprecation_message = generate_property_deprecation_message( - to_be_removed_in_version=deprecated_properties[item][ - "to_be_removed_in_version" - ], - old_name=item, - new_name=deprecated_properties[item].get("new_property", item), - new_attribute=deprecated_properties[item]["client_property"], - ) - warnings.warn( - message=deprecation_message, - category=DeprecationWarning, - stacklevel=2, - ) - client_property = getattr(obj, deprecated_properties[item]["client_property"]) - return getattr( - client_property, deprecated_properties[item].get("new_property", item) - ) - - raise AttributeError( - "'{class_name}' has no attribute '{item}'".format( - class_name=obj.__class__.__name__, - item=item, - ) - ) - - -def deprecated_method(to_be_removed_in_version, new_method=None): - """This is a decorator which can be used to mark methods as deprecated. It will result in a warning being emitted - when the function is used. - - :param to_be_removed_in_version: Version of this module the decorated method will be removed in. - :type to_be_removed_in_version: str - :param new_method: Method intended to replace the decorated method. This method's docstrings are included in the - decorated method's docstring. - :type new_method: function - :return: Wrapped function that includes a deprecation warning and update docstrings from the replacement method. - :rtype: types.FunctionType - """ - - def decorator(method): - if new_method is not None: - new_method_name = new_method.__name__ - new_module_name = inspect.getmodule(new_method).__name__ - else: - new_method_name, new_module_name = (None, None) - - deprecation_message = generate_method_deprecation_message( - to_be_removed_in_version=to_be_removed_in_version, - old_method_name=method.__name__, - method_name=new_method_name, - module_name=new_module_name, - ) - - @functools.wraps(method) - def new_func(*args, **kwargs): - warnings.warn( - message=deprecation_message, - category=DeprecationWarning, - stacklevel=2, - ) - return method(*args, **kwargs) - - if new_method: - # Here we copy the docstring from the specified replacement method (i.e., the method to be used in place of - # the one we're marking as deprecated) where available to set within the deprecated method's docstring. - # If the "new" method has no docstring, we use a value of "N/A". - docstring_copy = ( - new_method.__doc__ if new_method.__doc__ is not None else "N/A" - ) - new_func.__doc__ = """\ - {message} - Docstring content from this method's replacement copied below: - {docstring_copy} - """.format( - message=deprecation_message, - docstring_copy=dedent(docstring_copy), - ) - - else: - new_func.__doc__ = deprecation_message - return new_func - - return decorator - - -def validate_list_of_strings_param(param_name, param_argument): - """Validate that an argument is a list of strings. - Returns nothing if valid, raises ParamValidationException if invalid. - - :param param_name: The name of the parameter being validated. Used in any resulting exception messages. - :type param_name: str | unicode - :param param_argument: The argument to validate. - :type param_argument: list - """ - if param_argument is None: - param_argument = [] - if isinstance(param_argument, str): - param_argument = param_argument.split(",") - if not isinstance(param_argument, list) or not all( - isinstance(p, str) for p in param_argument - ): - error_msg = 'unsupported {param} argument provided "{arg}" ({arg_type}), required type: List[str]' - raise exceptions.ParamValidationError( - error_msg.format( - param=param_name, - arg=param_argument, - arg_type=type(param_argument), - ) - ) - - -def list_to_comma_delimited(list_param): - """Convert a list of strings into a comma-delimited list / string. - - :param list_param: A list of strings. - :type list_param: list - :return: Comma-delimited string. - :rtype: str - """ - if list_param is None: - list_param = [] - return ",".join(list_param) - - -def get_token_from_env(): - """Get the token from env var, VAULT_TOKEN. If not set, attempt to get the token from, ~/.vault-token - - :return: The vault token if set, else None - :rtype: str | None - """ - token = os.getenv("VAULT_TOKEN") - if not token: - token_file_path = os.path.expanduser("~/.vault-token") - if os.path.exists(token_file_path): - with open(token_file_path) as f_in: - token = f_in.read().strip() - - if not token: - return None - - return token - - -def comma_delimited_to_list(list_param): - """Convert comma-delimited list / string into a list of strings - - :param list_param: Comma-delimited string - :type list_param: str | unicode - :return: A list of strings - :rtype: list - """ - if isinstance(list_param, list): - return list_param - if isinstance(list_param, str): - return list_param.split(",") - else: - return [] - - -def validate_pem_format(param_name, param_argument): - """Validate that an argument is a PEM-formatted public key or certificate - - :param param_name: The name of the parameter being validate. Used in any resulting exception messages. - :type param_name: str | unicode - :param param_argument: The argument to validate - :type param_argument: str | unicode - :return: True if the argument is validate False otherwise - :rtype: bool - """ - - def _check_pem(arg): - arg = arg.strip() - if not arg.startswith("-----BEGIN CERTIFICATE-----") or not arg.endswith( - "-----END CERTIFICATE-----" - ): - return False - return True - - if isinstance(param_argument, str): - param_argument = [param_argument] - - if not isinstance(param_argument, list) or not all( - _check_pem(p) for p in param_argument - ): - error_msg = ( - "unsupported {param} public key / certificate format, required type: PEM" - ) - raise exceptions.ParamValidationError(error_msg.format(param=param_name)) - - -def remove_nones(params): - """Removes None values from optional arguments in a parameter dictionary. - - :param params: The dictionary of parameters to be filtered. - :type params: dict - :return: A filtered copy of the parameter dictionary. - :rtype: dict - """ - - return {key: value for key, value in params.items() if value is not None} - - -def format_url(format_str, *args, **kwargs): - """Creates a URL using the specified format after escaping the provided arguments. - - :param format_str: The URL containing replacement fields. - :type format_str: str - :param kwargs: Positional replacement field values. - :type kwargs: list - :param kwargs: Named replacement field values. - :type kwargs: dict - :return: The formatted URL path with escaped replacement fields. - :rtype: str - """ - - def url_quote(maybe_str): - # Special care must be taken for Python 2 where Unicode characters will break urllib quoting. - # To work around this, we always cast to a Unicode type, then UTF-8 encode it. - # Doing this is version agnostic and returns the same result in Python 2 or 3. - unicode_str = str(maybe_str) - utf8_str = unicode_str.encode("utf-8") - return urllib.parse.quote(utf8_str) - - escaped_args = [url_quote(value) for value in args] - escaped_kwargs = {key: url_quote(value) for key, value in kwargs.items()} - - return format_str.format(*escaped_args, **escaped_kwargs) diff --git a/.venv/lib/python3.12/site-packages/hvac/v1/__init__.py b/.venv/lib/python3.12/site-packages/hvac/v1/__init__.py deleted file mode 100644 index 88ac136..0000000 --- a/.venv/lib/python3.12/site-packages/hvac/v1/__init__.py +++ /dev/null @@ -1,552 +0,0 @@ -import os -import typing as t - -from warnings import warn - -from hvac import adapters, api, exceptions, utils -from hvac.constants.client import ( - DEFAULT_URL, - DEPRECATED_PROPERTIES, - VAULT_CACERT, - VAULT_CAPATH, - VAULT_CLIENT_CERT, - VAULT_CLIENT_KEY, -) - -try: - import hcl - - has_hcl_parser = True -except ImportError: - has_hcl_parser = False - - -# TODO(v4.0.0): remove _sentinel and _smart_pop when write no longer has deprecated behavior: -# https://github.com/hvac/hvac/issues/1034 -_sentinel = object() - - -def _smart_pop( - dict: dict, - member: str, - default: t.Any = _sentinel, - *, - posvalue: t.Any = _sentinel, - method: str = "write", - replacement_method: str = "write_data", -): - try: - value = dict.pop(member) - except KeyError: - if posvalue is not _sentinel: - return posvalue - elif default is not _sentinel: - return default - else: - raise TypeError( - f"{method}() missing one required positional argument: '{member}'" - ) - else: - if posvalue is not _sentinel: - raise TypeError(f"{method}() got multiple values for argument '{member}'") - - warn( - ( - f"{method}() argument '{member}' was supplied as a keyword argument and will not be written as data." - f" To write this data with a '{member}' key, use the {replacement_method}() method." - f" To continue using {method}() and suppress this warning, supply this argument positionally." - f" For more information see: https://github.com/hvac/hvac/issues/1034" - ), - DeprecationWarning, - stacklevel=3, - ) - return value - - -class Client: - """The hvac Client class for HashiCorp's Vault.""" - - def __init__( - self, - url=None, - token=None, - cert=None, - verify=None, - timeout=30, - proxies=None, - allow_redirects=True, - session=None, - adapter=adapters.JSONAdapter, - namespace=None, - **kwargs, - ): - """Creates a new hvac client instance. - - :param url: Base URL for the Vault instance being addressed. - :type url: str - :param token: Authentication token to include in requests sent to Vault. - :type token: str - :param cert: Certificates for use in requests sent to the Vault instance. This should be a tuple with the - certificate and then key. - :type cert: tuple - :param verify: Either a boolean to indicate whether TLS verification should be performed when sending requests to Vault, - or a string pointing at the CA bundle to use for verification. See http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification. - :type verify: Union[bool,str] - :param timeout: The timeout value for requests sent to Vault. - :type timeout: int - :param proxies: Proxies to use when performing requests. - See: http://docs.python-requests.org/en/master/user/advanced/#proxies - :type proxies: dict - :param allow_redirects: Whether to follow redirects when sending requests to Vault. - :type allow_redirects: bool - :param session: Optional session object to use when performing request. - :type session: request.Session - :param adapter: Optional class to be used for performing requests. If none is provided, defaults to - hvac.adapters.JSONRequest. - :type adapter: hvac.adapters.Adapter - :param kwargs: Additional parameters to pass to the adapter constructor. - :type kwargs: dict - :param namespace: Optional Vault Namespace. - :type namespace: str - """ - - token = token if token is not None else utils.get_token_from_env() - url = url if url else os.getenv("VAULT_ADDR", DEFAULT_URL) - - if cert is None and VAULT_CLIENT_CERT: - cert = ( - VAULT_CLIENT_CERT, - VAULT_CLIENT_KEY, - ) - - # Consider related CA env vars _only if_ no argument is passed in under the - # `verify` parameter. - if verify is None: - # Reference: https://www.vaultproject.io/docs/commands#vault_cacert - # Note: "[VAULT_CACERT] takes precedence over VAULT_CAPATH." and thus we - # check for VAULT_CAPATH _first_. - if VAULT_CAPATH: - verify = VAULT_CAPATH - if VAULT_CACERT: - verify = VAULT_CACERT - if not verify: - # default to verifying certificates if the above aren't defined - verify = True - - self._adapter = adapter( - base_uri=url, - token=token, - cert=cert, - verify=verify, - timeout=timeout, - proxies=proxies, - allow_redirects=allow_redirects, - session=session, - namespace=namespace, - **kwargs, - ) - - # Instantiate API classes to be exposed as properties on this class starting with auth method classes. - self._auth = api.AuthMethods(adapter=self._adapter) - self._secrets = api.SecretsEngines(adapter=self._adapter) - self._sys = api.SystemBackend(adapter=self._adapter) - - def __getattr__(self, name): - return utils.getattr_with_deprecated_properties( - obj=self, item=name, deprecated_properties=DEPRECATED_PROPERTIES - ) - - @property - def adapter(self): - """Adapter for all client's connections.""" - return self._adapter - - @adapter.setter - def adapter(self, adapter): - self._adapter = adapter - self._auth.adapter = adapter - self._secrets.adapter = adapter - self._sys.adapter = adapter - - @property - def url(self): - return self._adapter.base_uri - - @url.setter - def url(self, url): - self._adapter.base_uri = url - - @property - def token(self): - return self._adapter.token - - @token.setter - def token(self, token): - self._adapter.token = token - - @property - def session(self): - return self._adapter.session - - @session.setter - def session(self, session): - self._adapter.session = session - - @property - def allow_redirects(self): - return self._adapter.allow_redirects - - @allow_redirects.setter - def allow_redirects(self, allow_redirects): - self._adapter.allow_redirects = allow_redirects - - @property - def auth(self): - """Accessor for the Client instance's auth methods. Provided via the :py:class:`hvac.api.AuthMethods` class. - :return: This Client instance's associated Auth instance. - :rtype: hvac.api.AuthMethods - """ - return self._auth - - @property - def secrets(self): - """Accessor for the Client instance's secrets engines. Provided via the :py:class:`hvac.api.SecretsEngines` class. - - :return: This Client instance's associated SecretsEngines instance. - :rtype: hvac.api.SecretsEngines - """ - return self._secrets - - @property - def sys(self): - """Accessor for the Client instance's system backend methods. - Provided via the :py:class:`hvac.api.SystemBackend` class. - - :return: This Client instance's associated SystemBackend instance. - :rtype: hvac.api.SystemBackend - """ - return self._sys - - @property - def generate_root_status(self): - return self.sys.read_root_generation_progress() - - @property - def key_status(self): - """GET /sys/key-status - - :return: Information about the current encryption key used by Vault. - :rtype: dict - """ - return self.sys.get_encryption_key_status()["data"] - - @property - def rekey_status(self): - return self.sys.read_rekey_progress() - - @property - def ha_status(self): - """Read the high availability status and current leader instance of Vault. - - :return: The JSON response returned by read_leader_status() - :rtype: dict - """ - return self.sys.read_leader_status() - - @property - def seal_status(self): - """Read the seal status of the Vault. - - This is an unauthenticated endpoint. - - Supported methods: - GET: /sys/seal-status. Produces: 200 application/json - - :return: The JSON response of the request. - :rtype: dict - """ - return self.sys.read_seal_status() - - def read(self, path, wrap_ttl=None): - """GET / - - :param path: - :type path: - :param wrap_ttl: - :type wrap_ttl: - :return: - :rtype: - """ - try: - return self._adapter.get(f"/v1/{path}", wrap_ttl=wrap_ttl) - except exceptions.InvalidPath: - return None - - def list(self, path): - """GET /?list=true - - :param path: - :type path: - :return: - :rtype: - """ - try: - payload = {"list": True} - return self._adapter.get(f"/v1/{path}", params=payload) - except exceptions.InvalidPath: - return None - - # TODO(v4.0.0): remove overload when write doesn't use args and kwargs anymore - @t.overload - def write(self, path: str, wrap_ttl: t.Optional[str], **kwargs: t.Dict[str, t.Any]): - pass - - def write(self, *args: list, **kwargs: t.Dict[str, t.Any]): - """POST / - - Write data to a path. Because this method uses kwargs for the data to write, "path" and "wrap_ttl" data keys cannot be used. - If these names are needed, or if the key names are not known at design time, consider using the write_data method. - - :param path: - :type path: str - :param wrap_ttl: - :type wrap_ttl: str | None - :param kwargs: - :type kwargs: dict - :return: - :rtype: - """ - - try: - path = args[0] - except IndexError: - path = _sentinel - - path = _smart_pop(kwargs, "path", posvalue=path) - - try: - wrap_ttl = args[1] - except IndexError: - wrap_ttl = _sentinel - - wrap_ttl = _smart_pop(kwargs, "wrap_ttl", default=None, posvalue=wrap_ttl) - - if "data" in kwargs: - warn( - ( - "write() argument 'data' was supplied as a keyword argument." - " In v3.0.0 the 'data' key will be treated specially. Consider using the write_data() method instead." - " For more information see: https://github.com/hvac/hvac/issues/1034" - ), - PendingDeprecationWarning, - stacklevel=2, - ) - - return self.write_data(path, wrap_ttl=wrap_ttl, data=kwargs) - - def write_data( - self, - path: str, - *, - data: t.Optional[t.Dict[str, t.Any]] = None, - wrap_ttl: t.Optional[str] = None, - ): - """Write data to a path. Similar to write() without restrictions on data keys. - - Supported methods: - POST / - - :param path: - :type path: str - :param data: - :type data: dict | None - :param wrap_ttl: - :type wrap_ttl: str | None - :return: - :rtype: - """ - return self._adapter.post(f"/v1/{path}", json=data, wrap_ttl=wrap_ttl) - - def delete(self, path): - """DELETE / - - :param path: - :type path: - :return: - :rtype: - """ - self._adapter.delete(f"/v1/{path}") - - def get_policy(self, name, parse=False): - """Retrieve the policy body for the named policy. - - :param name: The name of the policy to retrieve. - :type name: str | unicode - :param parse: Specifies whether to parse the policy body using pyhcl or not. - :type parse: bool - :return: The (optionally parsed) policy body for the specified policy. - :rtype: str | dict - """ - try: - policy = self.sys.read_policy(name=name)["data"]["rules"] - except exceptions.InvalidPath: - return None - - if parse: - if not has_hcl_parser: - raise ImportError("pyhcl is required for policy parsing") - policy = hcl.loads(policy) - - return policy - - def lookup_token(self, token=None, accessor=False, wrap_ttl=None): - """GET /auth/token/lookup/ - - GET /auth/token/lookup-accessor/ - - GET /auth/token/lookup-self - - :param token: - :type token: str. - :param accessor: - :type accessor: str. - :param wrap_ttl: - :type wrap_ttl: int. - :return: - :rtype: - """ - token_param = { - "token": token, - } - accessor_param = { - "accessor": token, - } - if token: - if accessor: - path = "/v1/auth/token/lookup-accessor" - return self._adapter.post(path, json=accessor_param, wrap_ttl=wrap_ttl) - else: - path = "/v1/auth/token/lookup" - return self._adapter.post(path, json=token_param) - else: - path = "/v1/auth/token/lookup-self" - return self._adapter.get(path, wrap_ttl=wrap_ttl) - - def revoke_token(self, token, orphan=False, accessor=False): - """POST /auth/token/revoke - - POST /auth/token/revoke-orphan - - POST /auth/token/revoke-accessor - - :param token: - :type token: - :param orphan: - :type orphan: - :param accessor: - :type accessor: - :return: - :rtype: - """ - if accessor and orphan: - msg = "revoke_token does not support 'orphan' and 'accessor' flags together" - raise exceptions.InvalidRequest(msg) - elif accessor: - params = {"accessor": token} - self._adapter.post("/v1/auth/token/revoke-accessor", json=params) - elif orphan: - params = {"token": token} - self._adapter.post("/v1/auth/token/revoke-orphan", json=params) - else: - params = {"token": token} - self._adapter.post("/v1/auth/token/revoke", json=params) - - def renew_token(self, token, increment=None, wrap_ttl=None): - """POST /auth/token/renew - - POST /auth/token/renew-self - - :param token: - :type token: - :param increment: - :type increment: - :param wrap_ttl: - :type wrap_ttl: - :return: - :rtype: - - For calls expecting to hit the renew-self endpoint please use the "renew_self" method on "hvac_client.auth.token" instead - """ - params = { - "increment": increment, - } - - params["token"] = token - return self._adapter.post( - "/v1/auth/token/renew", json=params, wrap_ttl=wrap_ttl - ) - - def logout(self, revoke_token=False): - """Clears the token used for authentication, optionally revoking it before doing so. - - :param revoke_token: - :type revoke_token: - :return: - :rtype: - """ - if revoke_token: - self.auth.token.revoke_self() - - self.token = None - - def is_authenticated(self): - """Helper method which returns the authentication status of the client - - :return: - :rtype: - """ - if not self.token: - return False - - try: - self.lookup_token() - return True - except exceptions.Forbidden: - return False - except exceptions.InvalidPath: - return False - except exceptions.InvalidRequest: - return False - - def auth_cubbyhole(self, token): - """Perform a login request with a wrapped token. - - Stores the unwrapped token in the resulting Vault response for use by the :py:meth:`hvac.adapters.Adapter` - instance under the _adapter Client attribute. - - :param token: Wrapped token - :type token: str | unicode - :return: The (JSON decoded) response of the auth request - :rtype: dict - """ - self.token = token - return self.login("/v1/sys/wrapping/unwrap") - - def login(self, url, use_token=True, **kwargs): - """Perform a login request. - - Associated request is typically to a path prefixed with "/v1/auth") and optionally stores the client token sent - in the resulting Vault response for use by the :py:meth:`hvac.adapters.Adapter` instance under the _adapter - Client attribute. - - :param url: Path to send the authentication request to. - :type url: str | unicode - :param use_token: if True, uses the token in the response received from the auth request to set the "token" - attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. - :type use_token: bool - :param kwargs: Additional keyword arguments to include in the params sent with the request. - :type kwargs: dict - :return: The response of the auth request. - :rtype: requests.Response - """ - return self._adapter.login(url=url, use_token=use_token, **kwargs) diff --git a/.venv/lib/python3.12/site-packages/hvac/v1/__pycache__/__init__.cpython-312.pyc b/.venv/lib/python3.12/site-packages/hvac/v1/__pycache__/__init__.cpython-312.pyc deleted file mode 100644 index e9a642c..0000000 Binary files a/.venv/lib/python3.12/site-packages/hvac/v1/__pycache__/__init__.cpython-312.pyc and /dev/null differ