def generate_hmac(self,
name,
hash_input,
key_version=None,
algorithm="sha2-256",
mount_point=DEFAULT_MOUNT_POINT):
"""Return the digest of given data using the specified hash algorithm and the named key.
The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the
HMAC function. If the key is of a type that supports rotation, the latest (current) version will be used.
Supported methods:
POST: /{mount_point}/hmac/{name}(/{algorithm}). Produces: 200 application/json
:param name: Specifies the name of the encryption key to generate hmac against. This is specified as part of the
URL.
:type name: str | unicode
:param hash_input: Specifies the base64 encoded input data.
:type input: str | unicode
:param key_version: Specifies the version of the key to use for the operation. If not set, uses the latest
version. Must be greater than or equal to the key's min_encryption_version, if set.
:type key_version: int
:param algorithm: Specifies the hash algorithm to use. This can also be specified as part of the URL.
Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512
:type algorithm: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the request.
:rtype: requests.Response
"""
if algorithm not in transit_constants.ALLOWED_HASH_DATA_ALGORITHMS:
error_msg = 'invalid algorithm argument provided "{arg}", supported types: "{allowed_types}"'
raise exceptions.ParamValidationError(
error_msg.format(
arg=algorithm,
allowed_types=', '.join(
transit_constants.ALLOWED_HASH_DATA_ALGORITHMS),
))
params = {
'input': hash_input,
'key_version': key_version,
'algorithm': algorithm,
}
api_path = utils.format_url(
'/v1/{mount_point}/hmac/{name}',
mount_point=mount_point,
name=name,
)
resposne = self._adapter.post(
url=api_path,
json=params,
)
return resposne.json()
def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint deletes a ad role with the given name.
Even if the role does not exist, this endpoint will still return a successful response.
:param name: Specifies the name of the role to delete.
:type name: str | unicode
:param mount_point: Specifies the place where the secrets engine will be accessible (default: ad).
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name)
return self._adapter.delete(url=api_path, )
def list_blacklist_tags(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Lists all the role tags that are blacklisted
:param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{mount_point}/roletag-blacklist',
mount_point=mount_point)
response = self._adapter.list(url=api_path, )
return response.get('data')
def read_role(self, role, mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Returns the previously registered role configuration
:param role:
:param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/role/{1}', mount_point, role)
response = self._adapter.get(url=api_path)
return response.get('data')
def delete_role_tag_blacklist_tidy(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Delete previously configured periodic blacklist tidying settings.
:param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{mount_point}/config/tidy/roletag-blacklist', mount_point=mount_point)
return self._adapter.delete(
url=api_path
)
def generate_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint generates a new set of dynamic credentials based on the named role.
:param name: Specifies the name of the role to create credentials against.
:type name: str | unicode
:param mount_point: Specifies the place where the secrets engine will be accessible (default: rabbitmq).
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/creds/{}", mount_point, name)
return self._adapter.get(url=api_path, )
def list_sts_roles(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
"""List AWS Account IDs for which an STS role is registered.
:param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{mount_point}/config/sts',
mount_point=mount_point)
response = self._adapter.list(url=api_path)
return response.get('data')
def list_static_roles(self, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint returns a list of available static roles.
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{mount_point}/static-roles",
mount_point=mount_point)
return self._adapter.list(url=api_path, )
def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint queries the role definition.
:param name: Specifies the name of the role to read.
:type name: str | unicode
:param mount_point: Specifies the place where the secrets engine will be accessible (default: rabbitmq).
:type mount_point: str | unicode
:return: The JSON response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/roles/{}", mount_point, name)
return self._adapter.get(url=api_path, )
def delete_sts_role(self, account_id, mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Delete a previously configured AWS account/STS role association.
:param account_id:
:param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/config/sts/{1}', mount_point,
account_id)
return self._adapter.delete(url=api_path, )
def delete_blacklist_tags(self,
role_tag,
mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Deletes a blacklisted role tag
:param role_tag:
:param mount_point:
:return:
"""
api_path = utils.format_url('/v1/auth/{0}/roletag-blacklist/{1}',
mount_point, role_tag)
return self._adapter.delete(url=api_path, )
def delete_identity_whitelist_entries(self,
instance_id,
mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Deletes a cache of the successful login from an instance
:param instance_id:
:param mount_point:
:return:
"""
api_path = utils.format_url('/v1/auth/{0}/identity-whitelist/{1}',
mount_point, instance_id)
return self._adapter.delete(url=api_path, )
def read_role_tag_blacklist_tidy(self,
mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Returns the previously configured periodic blacklist tidying settings
:param mount_point:
:return:
"""
api_path = utils.format_url(
'/v1/auth/{mount_point}/config/tidy/roletag-blacklist',
mount_point=mount_point)
response = self._adapter.get(url=api_path)
return response.get('data')
def hash_data(self,
hash_input,
algorithm=None,
output_format=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Return the cryptographic hash of given data using the specified algorithm.
Supported methods:
POST: /{mount_point}/hash(/{algorithm}). Produces: 200 application/json
:param hash_input: Specifies the base64 encoded input data.
:type hash_input: str | unicode
:param algorithm: Specifies the hash algorithm to use. This can also be specified as part of the URL.
Currently-supported algorithms are: sha2-224, sha2-256, sha2-384, sha2-512
:type algorithm: str | unicode
:param output_format: Specifies the output encoding. This can be either hex or base64.
:type output_format: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the request.
:rtype: requests.Response
"""
if algorithm is not None and algorithm not in transit_constants.ALLOWED_HASH_DATA_ALGORITHMS:
error_msg = 'invalid algorithm argument provided "{arg}", supported types: "{allowed_types}"'
raise exceptions.ParamValidationError(
error_msg.format(
arg=algorithm,
allowed_types=', '.join(
transit_constants.ALLOWED_HASH_DATA_ALGORITHMS),
))
if output_format is not None and output_format not in transit_constants.ALLOWED_HASH_DATA_FORMATS:
error_msg = 'invalid output_format argument provided "{arg}", supported types: "{allowed_types}"'
raise exceptions.ParamValidationError(
error_msg.format(
arg=output_format,
allowed_types=', '.join(
transit_constants.ALLOWED_HASH_DATA_FORMATS),
))
params = {
'input': hash_input,
}
params.update(
utils.remove_nones({
'algorithm': algorithm,
'format': output_format,
}))
api_path = utils.format_url('/v1/{mount_point}/hash',
mount_point=mount_point)
response = self._adapter.post(
url=api_path,
json=params,
)
return response.json()
def create_namespace(self, path):
"""Create a namespace at the given path.
Supported methods:
POST: /sys/namespaces/{path}. Produces: 200 application/json
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/sys/namespaces/{path}', path=path)
response = self._adapter.post(url=api_path, )
return response
def delete_namespace(self, path):
"""Delete a namespaces. You cannot delete a namespace with existing child namespaces.
Supported methods:
DELETE: /sys/namespaces. Produces: 204 (empty body)
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/sys/namespaces/{path}', path=path)
response = self._adapter.delete(url=api_path, )
return response
def configure(self,
org_name,
api_token=None,
base_url=None,
ttl=None,
max_ttl=None,
bypass_okta_mfa=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Configure the connection parameters for Okta.
This path honors the distinction between the create and update capabilities inside ACL policies.
Supported methods:
POST: /auth/{mount_point}/config. Produces: 204 (empty body)
:param org_name: Name of the organization to be used in the Okta API.
:type org_name: str | unicode
:param api_token: Okta API token. This is required to query Okta for user group membership. If this is not
supplied only locally configured groups will be enabled.
:type api_token: str | unicode
:param base_url: If set, will be used as the base domain for API requests. Examples are okta.com,
oktapreview.com, and okta-emea.com.
:type base_url: str | unicode
:param ttl: Duration after which authentication will be expired.
:type ttl: str | unicode
:param max_ttl: Maximum duration after which authentication will be expired.
:type max_ttl: str | unicode
:param bypass_okta_mfa: Whether to bypass an Okta MFA request. Useful if using one of Vault's built-in MFA
mechanisms, but this will also cause certain other statuses to be ignored, such as PASSWORD_EXPIRED.
:type bypass_okta_mfa: bool
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
params = {
'org_name': org_name,
}
params.update(
utils.remove_nones({
'api_token': api_token,
'base_url': base_url,
'ttl': ttl,
'max_ttl': max_ttl,
'bypass_okta_mfa': bypass_okta_mfa,
}))
api_path = utils.format_url('/v1/auth/{mount_point}/config',
mount_point=mount_point)
return self._adapter.post(
url=api_path,
json=params,
)
def generate_secret_id(self,
role_name,
metadata=None,
cidr_list=None,
token_bound_cidrs=None,
mount_point=DEFAULT_MOUNT_POINT):
"""
Generates and issues a new Secret ID on a role in the auth method.
Supported methods:
POST: /auth/{mount_point}/role/{role_name}/secret-id. Produces: 200 application/json
:param role_name: The name for the role.
:type role_name: str | unicode
:param metadata: Metadata to be tied to the Secret ID.
:type metadata: dict
:param cidr_list: Blocks of IP addresses which can perform login operations.
:type cidr_list: list
:param token_bound_cidrs: Blocks of IP addresses which can authenticate successfully.
:type token_bound_cidrs: list
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the read_role_id request.
:rtype: dict
"""
if metadata is not None and not isinstance(metadata, dict):
error_msg = 'unsupported metadata argument provided "{arg}" ({arg_type}), required type: dict"'
raise exceptions.ParamValidationError(
error_msg.format(
arg=metadata,
arg_type=type(metadata),
))
params = {'metadata': json.dumps(metadata) if metadata else metadata}
list_of_strings_params = {
'cidr_list': cidr_list,
'token_bound_cidrs': token_bound_cidrs
}
for param_name, param_argument in list_of_strings_params.items():
validate_list_of_strings_param(
param_name=param_name,
param_argument=param_argument,
)
if param_argument is not None:
params[param_name] = list_to_comma_delimited(param_argument)
api_path = utils.format_url(
'/v1/auth/{mount_point}/role/{role_name}/secret-id',
mount_point=mount_point,
role_name=role_name)
return self._adapter.post(url=api_path, json=params)
def rewrap_data(self, name, ciphertext, context=None, key_version=None, nonce=None, batch_input=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Rewrap the provided ciphertext using the latest version of the named key.
Because this never returns plaintext, it is possible to delegate this functionality to untrusted users or scripts.
Supported methods:
POST: /{mount_point}/rewrap/{name}. Produces: 200 application/json
:param name: Specifies the name of the encryption key to re-encrypt against. This is specified as part of the URL.
:type name: str | unicode
:param ciphertext: Specifies the ciphertext to re-encrypt.
:type ciphertext: str | unicode
:param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is
enabled.
:type context: str | unicode
:param key_version: Specifies the version of the key to use for the operation. If not set, uses the latest
version. Must be greater than or equal to the key's min_encryption_version, if set.
:type key_version: int
:param nonce: Specifies a base64 encoded nonce value used during encryption. Must be provided if convergent
encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created
in 0.6.2+.
:type nonce: str | unicode
:param batch_input: Specifies a list of items to be decrypted in a single batch. When this parameter is set, if
the parameters 'ciphertext', 'context' and 'nonce' are also set, they will be ignored. Format for the input
goes like this: [dict(context="b64_context", ciphertext="b64_plaintext"), ...]
:type batch_input: List[dict]
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the request.
:rtype: requests.Response
"""
params = {
'ciphertext': ciphertext,
}
params.update(
utils.remove_nones({
'context': context,
'key_version': key_version,
'nonce': nonce,
'batch_input': batch_input,
})
)
api_path = utils.format_url(
'/v1/{mount_point}/rewrap/{name}',
mount_point=mount_point,
name=name,
)
return self._adapter.post(
url=api_path,
json=params,
)
def create_role(self,
name,
db_name,
creation_statements,
default_ttl=None,
max_ttl=None,
revocation_statements=None,
rollback_statements=None,
renew_statements=None,
mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint creates or updates a role definition.
:param name: Specifies the database role to manage.
:type name: str | unicode
:param db_name: The name of the database connection to use for this role.
:type db_name: str | unicode
:param creation_statements: Specifies the database statements executed to create and configure a user.
:type creation_statements: list
:param default_ttl: Specifies the TTL for the leases associated with this role.
:type default_ttl: int
:param max_ttl: Specifies the maximum TTL for the leases associated with this role.
:type max_ttl: int
:param revocation_statements: Specifies the database statements to be executed to revoke a user.
:type revocation_statements: list
:param rollback_statements: Specifies the database statements to be executed to rollback
a create operation in the event of an error.
:type rollback_statements: list
:param renew_statements: Specifies the database statements to be executed to renew a user.
:type renew_statements: list
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
params = {
"db_name": db_name,
"creation_statements": creation_statements,
}
params.update(
utils.remove_nones({
"default_ttl": default_ttl,
"max_ttl": max_ttl,
"revocation_statements": revocation_statements,
"rollback_statements": rollback_statements,
"renew_statements": renew_statements,
}))
api_path = utils.format_url('/v1/{mount_point}/roles/{name}',
mount_point=mount_point,
name=name)
return self._adapter.post(url=api_path, json=params)
def generate_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint retrieves the previous and current LDAP password for
the associated account (or rotate if required)
:param name: Specifies the name of the role to request credentials from.
:type name: str | unicode
:param mount_point: Specifies the place where the secrets engine will be accessible (default: ad).
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/creds/{}", mount_point, name)
return self._adapter.get(url=api_path, )
def rotate_root_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint is used to rotate the root superuser credentials stored for the database connection.
This user must have permissions to update its own password.
:param name: Specifies the name of the connection to rotate.
:type name: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/{mount_point}/rotate-root/{name}',
mount_point=mount_point,
name=name)
return self._adapter.post(url=api_path, )
def reset_connection(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint closes a connection and it's underlying plugin and
restarts it with the configuration stored in the barrier.
:param name: Specifies the name of the connection to reset.
:type name: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/{mount_point}/reset/{name}',
mount_point=mount_point,
name=name)
return self._adapter.post(url=api_path, )
def delete_connection(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint deletes a connection.
:param name: Specifies the name of the connection to delete.
:type name: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/{mount_point}/config/{name}',
mount_point=mount_point,
name=name)
return self._adapter.delete(url=api_path, )
def disable_audit_device(self, path):
"""Disable the audit device at the given path.
Supported methods:
DELETE: /sys/audit/{path}. Produces: 204 (empty body)
:param path: The path of the audit device to delete. This is part of the request URL.
:type path: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/sys/audit/{path}', path=path)
return self._adapter.delete(url=api_path, )
def generate_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint generates a dynamic Consul token based on the given role definition.
:param name: Specifies the name of an existing role against which to create this Consul credential.
:type name: str | unicode
:param mount_point: Specifies the place where the secrets engine will be accessible (default: consul).
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/creds/{}", mount_point, name)
return self._adapter.get(url=api_path, )
def disable_secrets_engine(self, path):
"""Disable the mount point specified by the provided path.
Supported methods:
DELETE: /sys/mounts/{path}. Produces: 204 (empty body)
:param path: Specifies the path where the secrets engine will be mounted. This is specified as part of the URL.
:type path: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/sys/mounts/{path}', path=path)
return self._adapter.delete(url=api_path, )
def read_role_tag_blacklist(self,
role_tag,
mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Returns the blacklist entry of a previously blacklisted role tag
:param role_tag:
:param mount_point:
:return:
"""
api_path = utils.format_url('/v1/auth/{0}/roletag-blacklist/{1}',
mount_point, role_tag)
response = self._adapter.get(url=api_path)
return response.json().get('data')
def read_identity_whitelist(self,
instance_id,
mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Returns an entry in the whitelist. An entry will be created/updated by every successful login
:param instance_id:
:param mount_point:
:return:
"""
api_path = utils.format_url('/v1/auth/{0}/identity-whitelist/{1}',
mount_point, instance_id)
response = self._adapter.get(url=api_path)
return response.json().get('data')
def delete_identity_whitelist_entries(self, instance_id, mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Deletes a cache of the successful login from an instance
:param instance_id:
:param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/identity-whitelist/{1}', mount_point, instance_id)
return self._adapter.delete(
url=api_path,
)
