def config_access(self, address, token):
"""Configures the access information for Consul.
This is a root protected endpoint.
Parameters:
address (str): The address of the Consul instance,
provided as scheme://host:port
token (str): The Consul ACL token to use.
Must be a management type token.
Results:
bool
"""
method = 'POST'
path = self.path('config/access')
scheme = None
if address.startswith('https://'):
scheme, address = 'https', address[8:]
elif address.startswith('http://'):
scheme, address = 'http', address[7:]
data = {'address': address,
'token': token,
'scheme': scheme}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def config_connection(self, *, dsn):
"""Configure the connection string to talk to MySQL
This path configures the connection string used to connect to MySQL.
The value of the string is a Data Source Name (DSN). An example is
using ``username:password@protocol(address)/dbname?param=value``.
For example, RDS may look like::
id:password@tcp(your-amazonaws-uri.com:3306)/dbname
When configuring the connection string, the backend will verify its
validity.
This is a root protected endpoint.
Parameters:
dsn (str): The MySQL DSN
Returns:
bool
"""
method = 'POST'
path = self.path('config/connection')
data = {'value': dsn}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def configure(self, url, userattr, userdn, groupdn):
"""Configure the LDAP server to connect to.
This endpoint allows you to configure the LDAP server to connect to,
and give basic information of the schema of that server.
The LDAP URL can use either the "ldap://" or "ldaps://" schema. In the
former case, an unencrypted connection will be done, with default port
389; in the latter case, a SSL connection will be done, with default
port 636.
Parameters:
url (str): ldap URL to connect to (default: ldap://127.0.0.1)
userattr (str): Attribute used for users (default: cn)
userdn (str): LDAP domain to use for users
(eg: ou=People,dc=example,dc=org)
groupdn (str): LDAP domain to use for groups
(eg: ou=Groups,dc=example,dc=org)
Returns:
bool
"""
method = 'POST'
path = self.path('config')
data = {'url': url,
'userattr': userattr,
'userdn': userdn,
'groupdn': groupdn}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write_role(self, name, *, policy):
"""Write named role.
This path allows you to read and write roles that are used to create
access keys. These roles have IAM policies that map directly to the
route to read the access keys. For example, if the backend is mounted
at "aws" and you create a role at "aws/roles/deploy" then a user could
request access credentials at "aws/creds/deploy".
The policies written are normal IAM policies. Vault will not attempt to
parse these except to validate that they're basic JSON. To validate the
keys, attempt to read an access key after writing the policy.
Parameters:
name (str): The role name.
policy (obj): The IAM policy.
Returns:
bool
"""
method = 'POST'
path = self.path('roles', name)
data = {'policy': policy}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def config_lease(self, *, lease, lease_max):
"""Configures the lease settings for generated credentials.
This configures the default lease information used for credentials
generated by this backend. The lease specifies the duration that a
credential will be valid for, as well as the maximum session for
a set of credentials.
The format for the lease is "1h" or integer and then unit. The longest
unit is hour.
Parameters:
lease (str): The lease value provided as a string duration with
time suffix. Hour is the largest suffix.
lease_max (str): The maximum lease value provided as a string
duration with time suffix. Hour is the largest
suffix.
Returns:
bool
"""
method = 'POST'
path = self.path('config/lease')
data = {
'lease': format_duration(lease),
'lease_max': format_duration(lease_max)
}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def config_lease(self, *, lease, lease_max):
"""Configures the lease settings for generated credentials.
This configures the default lease information used for credentials
generated by this backend. The lease specifies the duration that a
credential will be valid for, as well as the maximum session for
a set of credentials.
The format for the lease is "1h" or integer and then unit. The longest
unit is hour.
Parameters:
lease (str): The lease value provided as a string duration with
time suffix. Hour is the largest suffix.
lease_max (str): The maximum lease value provided as a string
duration with time suffix. Hour is the largest
suffix.
Returns:
bool
"""
method = 'POST'
path = self.path('config/lease')
data = {'lease': format_duration(lease),
'lease_max': format_duration(lease_max)}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write_role(self, name, *, policy):
"""Write named role.
This path allows you to read and write roles that are used to create
access keys. These roles have IAM policies that map directly to the
route to read the access keys. For example, if the backend is mounted
at "aws" and you create a role at "aws/roles/deploy" then a user could
request access credentials at "aws/creds/deploy".
The policies written are normal IAM policies. Vault will not attempt to
parse these except to validate that they're basic JSON. To validate the
keys, attempt to read an access key after writing the policy.
Parameters:
name (str): The role name.
policy (obj): The IAM policy.
Returns:
bool
"""
method = 'POST'
path = self.path('roles', name)
data = {'policy': policy}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write_cert(self,
name,
*,
certificate,
display_name=None,
policies=None,
lease=None):
"""Write certificate
Parameters:
name (str): The name of the certificate
certificate (str): The public certificate that should be trusted.
Must be x509 PEM encoded
display_name (str): The display name to use for clients using this
certificate
policies (list): The policies
lease (str): Lease time in seconds. Defaults to 1 hour
"""
method = 'POST'
path = self.path('certs', name)
data = {
'policies': format_policies(policies),
'display_name': display_name,
'certificate': certificate,
'lease': format_duration(lease)
}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def delete_role(self, name):
"""Deletes the role definition.
Parameters:
name (str): The role name
"""
method = 'DELETE'
path = self.path('roles', name)
response = yield from self.req_handler(method, path)
return ok(response)
def disable(self, name):
"""Disable the auth backend at the given mount point
Parameters:
name (str): The name of mount
"""
method = 'DELETE'
path = self.path(name)
response = yield from self.req_handler(method, path)
return ok(response)
def delete_role(self, name):
"""Deletes the role definition.
Parameters:
name (str): The role name
"""
method = 'DELETE'
path = self.path('roles', name)
response = yield from self.req_handler(method, path)
return ok(response)
def disable(self):
"""Disable backend
Returns:
bool
"""
method = 'DELETE'
path = '/sys/auth/%s' % self.name
response = yield from self.req_handler(method, path)
return ok(response)
def delete_cert(self, name):
"""Delete certificate
Parameters:
name (str): The name of the certificate
"""
method = 'DELETE'
path = self.path('certs', name)
response = yield from self.req_handler(method, path)
return ok(response)
def seal(self):
"""Seals the Vault.
Returns:
bool: Vault has been sealed
"""
method = 'PUT'
path = '/sys/seal'
response = yield from self.req_handler(method, path)
return ok(response)
def seal(self):
"""Seals the Vault.
Returns:
bool: Vault has been sealed
"""
method = 'PUT'
path = '/sys/seal'
response = yield from self.req_handler(method, path)
return ok(response)
def delete_app(self, app):
"""Delete app.
Parameters:
app (str): The application ID
Returns:
bool
"""
app = extract_id(app)
method = 'DELETE'
path = self.path('map', 'app-id', app)
response = yield from self.req_handler(method, path)
return ok(response)
def unmount(self):
"""Unmount the secret backend
"""
method = 'DELETE'
path = '/sys/mounts/%s' % self.name
try:
response = yield from self.req_handler(method, path)
if ok(response):
return
except HTTPError as error:
raise MountError(*error.errors)
raise MountError
def disable(self, name):
"""Disable the given audit backend.
Parameters:
name (str): The audit name
Returns:
bool
"""
method = 'DELETE'
path = self.path(name)
response = yield from self.req_handler(method, path)
return ok(response)
def delete_app(self, app):
"""Delete app.
Parameters:
app (str): The application ID
Returns:
bool
"""
app = extract_id(app)
method = 'DELETE'
path = self.path('map', 'app-id', app)
response = yield from self.req_handler(method, path)
return ok(response)
def revoke_prefix(self, path_prefix):
"""Revoke all secrets generated under a given prefix immediately.
Parameters:
path_prefix (str): The path prefix
Returns:
bool
"""
method = 'PUT'
path = '/sys/revoke-prefix/%s' % path_prefix
response = yield from self.req_handler(method, path)
return ok(response)
def delete(self, key):
"""Ensure that key is absent with given path.
Parameters:
path (str): The key name
Returns:
bool: The key does not exists in storage
"""
method = 'DELETE'
path = self.path(key)
response = yield from self.req_handler(method, path)
return ok(response)
def revoke(self, lease_id):
"""Revoke a secret immediately.
Parameters:
lease_id (str): The lease id
Returns:
bool
"""
method = 'PUT'
path = '/sys/revoke/%s' % lease_id
response = yield from self.req_handler(method, path)
return ok(response)
def delete(self, key):
"""Ensure that key is absent with given path.
Parameters:
path (str): The key name
Returns:
bool: The key does not exists in storage
"""
method = 'DELETE'
path = self.path(key)
response = yield from self.req_handler(method, path)
return ok(response)
def delete_user(self, user):
"""Delete user.
Parameters:
user (str): The user name
Returns:
bool
"""
user = extract_id(user)
method = 'DELETE'
path = self.path('map', 'user-id', user)
response = yield from self.req_handler(method, path)
return ok(response)
def delete_role(self, name):
"""Delete a named role.
Parameters:
name (str): The role name.
Returns:
bool
"""
method = 'DELETE'
path = self.path('roles', name)
response = yield from self.req_handler(method, path)
return ok(response)
def delete_role(self, name):
"""Delete a named role.
Parameters:
name (str): The role name.
Returns:
bool
"""
method = 'DELETE'
path = self.path('roles', name)
response = yield from self.req_handler(method, path)
return ok(response)
def disable(self, name):
"""Disable the given audit backend.
Parameters:
name (str): The audit name
Returns:
bool
"""
method = 'DELETE'
path = self.path(name)
response = yield from self.req_handler(method, path)
return ok(response)
def revoke_prefix(self, path_prefix):
"""Revoke all secrets generated under a given prefix immediately.
Parameters:
path_prefix (str): The path prefix
Returns:
bool
"""
method = 'PUT'
path = '/sys/revoke-prefix/%s' % path_prefix
response = yield from self.req_handler(method, path)
return ok(response)
def revoke(self, lease_id):
"""Revoke a secret immediately.
Parameters:
lease_id (str): The lease id
Returns:
bool
"""
method = 'PUT'
path = '/sys/revoke/%s' % lease_id
response = yield from self.req_handler(method, path)
return ok(response)
def delete_user(self, user):
"""Delete user.
Parameters:
user (str): The user name
Returns:
bool
"""
user = extract_id(user)
method = 'DELETE'
path = self.path('map', 'user-id', user)
response = yield from self.req_handler(method, path)
return ok(response)
def create(self, username, password, policies=None):
"""The above creates a new user.
Parameters:
username (str): The username
password (str): The password
policies (list): The policies associated with the user
"""
method = 'POST'
path = self.path('users', username)
data = {'password': password, 'policies': policies}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def revoke_prefix(self, prefix):
"""Revokes all tokens generated at a given prefix, along with child
tokens, and all secrets generated using those tokens. Uses include
revoking all tokens generated by a credential backend during a
suspected compromise.
Parameters:
token (str): The token ID
"""
method = 'POST'
path = self.token_path('revoke-prefix', prefix)
response = yield from self.req_handler(method, path)
return ok(response)
def enable(self, description=None):
"""Enable backend
Parameters:
description (str): A human-friendly description of the auth backend
Returns:
bool
"""
method = 'POST'
path = '/sys/auth/%s' % self.name
data = {'type': self.type, 'description': description}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def configure(self, *, organization):
"""Configure github organization.
Parameters:
organization (str): The organization name a user must be a part of
to authenticate
Returns:
bool
"""
method = 'POST'
path = self.path('config')
data = {'organization': organization}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write(self, key, value):
"""Update the value of the key at the given path.
Parameters:
path (str): The key name
value (obj): The value of the key.
Returns:
bool: The key has been written
"""
method = 'PUT'
path = self.path(key)
data = {'value': json.dumps(value)}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write_role(self, name, sql):
"""Creates or updates the role definition.
Parameters:
sql (str): The SQL statements executed to create and configure
the role. Must be semi-colon separated. The '{{name}}',
'{{password}}' and '{{expiration}}' values will be
substituted.
"""
method = 'POST'
path = self.path('roles', name)
data = {'sql': sql}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write_role(self, name, sql):
"""Creates or updates the role definition.
Parameters:
sql (str): The SQL statements executed to create and configure
the role. Must be semi-colon separated. The '{{name}}',
'{{password}}' and '{{expiration}}' values will be
substituted.
"""
method = 'POST'
path = self.path('roles', name)
data = {'sql': sql}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def configure(self, *, organization):
"""Configure github organization.
Parameters:
organization (str): The organization name a user must be a part of
to authenticate
Returns:
bool
"""
method = 'POST'
path = self.path('config')
data = {'organization': organization}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write(self, key, value):
"""Update the value of the key at the given path.
Parameters:
path (str): The key name
value (obj): The value of the key.
Returns:
bool: The key has been written
"""
method = 'PUT'
path = self.path(key)
data = {'value': json.dumps(value)}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def delete_key(self, name):
"""Deletes a named encryption key.
This is a root protected endpoint.
All data encrypted with the named key will no longer be decryptable.
Parameters:
name (str): The transit key
Returns:
bool
"""
method = 'DELETE'
path = self.path('keys', name)
response = yield from self.req_handler(method, path)
return ok(response)
def write_team(self, name, policies):
"""Configure github team.
Parameters:
name (str): The team name
policies (list): The team policies
Returns:
bool
"""
method = 'POST'
path = self.path('map', 'teams', name)
policies = format_policies(policies)
data = {'value': policies}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write_role(self, name, *, policy, lease=None):
"""Creates or updates the Consul role definition.
Parameters:
name (str): The role name
policy (str): The Consul ACL policy.
Returns:
bool
"""
method = 'POST'
path = self.path('roles', name)
data = {'policy': base64_encode(policy),
'lease': format_duration(lease)}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write_team(self, name, policies):
"""Configure github team.
Parameters:
name (str): The team name
policies (list): The team policies
Returns:
bool
"""
method = 'POST'
path = self.path('map', 'teams', name)
policies = format_policies(policies)
data = {'value': policies}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def config_connection(self, *, dsn):
"""Configures the connection string used
to communicate with PostgreSQL.
This is a root protected endpoint.
Parameters:
dsn (str): The PostgreSQL connection URL or PG style string.
e.g. "user=foo host=bar"
"""
method = 'POST'
path = self.path('config/connection')
data = {'value': dsn}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def config_connection(self, *, dsn):
"""Configures the connection string used
to communicate with PostgreSQL.
This is a root protected endpoint.
Parameters:
dsn (str): The PostgreSQL connection URL or PG style string.
e.g. "user=foo host=bar"
"""
method = 'POST'
path = self.path('config/connection')
data = {'value': dsn}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def unmount(self, name):
"""Unmount a secret backend
Parameters:
name (str): The name of mounted backend
Returns:
bool
"""
name = extract_name(name)
method = 'DELETE'
path = self.path(name)
try:
response = yield from self.req_handler(method, path)
return ok(response)
except InternalServerError:
return False
def delete_group(self, name):
"""Delete group.
Deleting group will not revoke auth for prior authenticated users in
that group. To do this, do a revoke on "login/<username>" for the
usernames you want revoked.
Parameters:
name (str): Name of the LDAP group
Returns:
bool
"""
method = 'DELETE'
path = self.path('groups', name)
response = yield from self.req_handler(method, path)
return ok(response)
def write(self, key, values):
"""Update the value of the key at the given path.
Parameters:
key (str): The key to read
values (dict): The data to write
Returns:
bool: The key has been written
"""
if not isinstance(values, dict):
raise ValueError('values must be a dict')
method = 'POST'
path = self.path(key)
data = values
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write_key(self, name, *, derived=False):
"""Creates a new named encryption key.
This is a root protected endpoint.
Parameters:
name (str): The transit key
derived (bool): Enables key derivation mode. This allows
for per-transaction unique keys
Returns:
bool
"""
method = 'POST'
data = {'derived': derived}
path = self.path('keys', name)
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def delete(self, name):
"""Delete the rules with the given name.
This will immediately affect all associated users. When a user
is associated with a policy that doesn't exist, it is identical
to not being associated with that policy.
Parameters:
name (str): The policy name
Returns:
bool: Policy does not exists in storage
"""
name = extract_name(name)
method = 'DELETE'
path = self.path(name)
response = yield from self.req_handler(method, path)
return ok(response)
def write_user(self, user, app, cidr_block=None):
"""Write user.
Parameters:
user (str): The user name
app (str): The application ID
cidr_block (str): The CIDR block to limit
Returns:
bool
"""
app = extract_id(app)
user = extract_name(user)
method = 'POST'
path = self.path('map', 'user-id', user)
data = {'value': app,
'cidr_block': cidr_block}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def remount(self, dest):
"""Move the secret backend
Parameters:
dest (str): The new endpoint
"""
dest = extract_name(dest)
method = 'POST'
path = '/sys/remount'
data = {'from': self.name,
'to': dest}
try:
response = yield from self.req_handler(method, path, json=data)
if ok(response):
self.name = dest
return
except HTTPError as error:
raise MountError(*error.errors)
raise MountError
def write_app(self, app, *, policies=None, display_name=None):
"""Write app.
Parameters:
app (str): The application ID
policies (list): The policies
display_name (str): The name to be displayed
Returns:
bool
"""
app = extract_id(app)
method = 'POST'
path = self.path('map', 'app-id', app)
policies = format_policies(policies)
data = {'display_name': display_name or app,
'value': policies}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def write(self, name, rules):
"""Sets rules to the given name.
Once a policy is updated, it takes effect immediately to all
associated users.
Parameters:
name (str): The policy name
rules (dict): The rules.
Returns:
bool: Rules has been written
"""
name = extract_name(name)
rules = getattr(rules, 'rules', rules)
method = 'PUT'
path = self.path(name)
data = {'rules': json.dumps({'path': rules})}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def config_lease(self, lease, lease_max):
"""Configures the lease settings for generated credentials.
If not configured, leases default to 1 hour.
This is a root protected endpoint.
Parameters:
lease (str): The lease value provided as a string duration
with time suffix. Hour is the largest suffix.
lease_max (str): The maximum lease value provided as a string
duration with time suffix. Hour is the largest
suffix.
"""
method = 'POST'
path = self.path('config/lease')
data = {'lease': format_duration(lease),
'lease_max': format_duration(lease_max)}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def config_root(self, *, access_key, secret_key, region=None):
"""Configures the root IAM credentials used.
Before doing anything, the AWS backend needs credentials that are able
to manage IAM policies, users, access keys, etc. This endpoint is used
to configure those credentials. They don't necessarilly need to be root
keys as long as they have permission to manage IAM::
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1432042359000",
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:PutUserPolicy",
"iam:CreateAccessKey"
],
"Resource": [
"*"
]
}
]
}
Parameters:
access_key (str): Access key with permission to create new keys
secret_key (str): Secret key with permission to create new keys
region (str): The region for API calls
Returns:
bool
"""
method = 'POST'
path = self.path('config/root')
data = {'access_key': access_key,
'secret_key': secret_key,
'region': region}
response = yield from self.req_handler(method, path, json=data)
return ok(response)
def mount(self, *, name=None, description=None):
"""Mount a new secret backend
Parameters:
name (str): The new endpoint
description (str): A human-friendly description of the mount
"""
name = name or self.name
method = 'POST'
path = '/sys/mounts/%s' % name
data = {'type': self.type,
'description': description}
try:
response = yield from self.req_handler(method, path, json=data)
if ok(response):
self.name = name
return
except HTTPError as error:
raise MountError(*error.errors)
raise MountError
