def export_key(self,
key_type: enums.ExportKeyType,
version: int = 0) -> dict:
response = self.af.go_single(self.export_key_task(key_type, version))
if not is_success(response.status):
raise Exception(response)
return response.result['data']
def unseal_many(self, keys: t.List[str]) -> t.List:
responses = self.go_tasks(*[self.unseal_task(_key)
for _key in keys]).values()
if not all(
is_success(sub_response.status) for sub_response in responses):
raise Exception(responses)
return [sub_response.result for sub_response in responses]
def rewrap_data_batch(
self,
batch: t.List[str_dict__or__bytes_or_str]) -> t.List[str_dict]:
response = self.af.go_single(self.rewrap_b64_task(batch_input=batch))
if not is_success(response.status):
raise Exception(response)
return response.result['data']['batch_results']
def rewrap_encrypted_files(
self,
file_bundles_list: t.List[str_dict],
output_dir: str = '',
makedirs: bool = False,
do_rewrap_file_names: bool = False,
output_filename_template: str = '%(version)s_%(filename)s.vault'):
response = self.af.go_single(
self.rewrap_encrypted_files_task(file_bundles_list,
do_rewrap_file_names))
if not is_success(response.status):
raise Exception(response)
batch_results = response.result['data']['batch_results']
encrypted_files_data = batch_results[:len(file_bundles_list)]
encrypted_file_names = batch_results[len(file_bundles_list):]
if makedirs:
os.makedirs(output_dir, exist_ok=True)
# same as encrypt
return self.handle_encrypt_files(
file_bundles_list=file_bundles_list,
encrypted_files_data=encrypted_files_data,
encrypted_file_names=encrypted_file_names,
output_dir=output_dir,
makedirs=makedirs,
do_encrypt_file_names=do_rewrap_file_names,
output_filename_template=output_filename_template,
rewrap=True)
def encrypt_batch(
self, plain_data_bundle: t.List[str_dict__or__bytes_or_str]
) -> t.List[str_dict]:
response = self.af.go_single(
self.encrypt_batch_task(plain_data_bundle))
if not is_success(response.status):
raise Exception(response)
return response.result['data']['batch_results']
def config_key(self,
min_decryption_version: int = None,
deletion_allowed: bool = None):
response = self.af.go_single(
self.config_key_task(min_decryption_version, deletion_allowed))
if not is_success(response.status):
raise Exception(response)
return response.result
def encrypt_data(self,
plain_text: str_or_bytes,
context: str = '',
nonce: str = ''):
response = self.af.go_single(
self.encrypt_data_task(plain_text, context, nonce))
if not is_success(response.status):
raise Exception(response)
return response.result['data']['ciphertext']
def mount_write_config(self,
mount_point: str,
default_lease_ttl: str = '0',
max_lease_ttl: str = '0') -> None:
response = self.af.go_single(
self.mount_write_config_task(mount_point, default_lease_ttl,
max_lease_ttl))
if not is_success(response.status):
raise Exception(response)
return response.result
def encrypt_b64(self,
b64_plain_text: str = '',
b64_context: str = '',
b64_nonce: str = '',
batch_input: t.List[t.Dict[str, str]] = None) -> dict:
response = self.af.go_single(
self.encrypt_b64_task(b64_plain_text, b64_context, b64_nonce,
batch_input))
if not is_success(response.status):
raise Exception(response)
return response.result
def rewrap_b64(self,
ciphertext: str = '',
b64_context: str = '',
b64_nonce: str = '',
batch_input: t.List[t.Dict[str, str]] = None):
response = self.af.go_single(
self.rewrap_b64_task(ciphertext, b64_context, b64_nonce,
batch_input))
if not is_success(response.status):
raise Exception(response)
return response.result
def sign(
self,
input_data: str_or_bytes,
output_format: enums.DigestOutputFormat = enums.DigestOutputFormat.
HEX,
algorithm: enums.DigestAlgorithm = enums.DigestAlgorithm.SHA2_256):
response = self.af.go_single(
self.sign_task(input_data, output_format, algorithm))
if not is_success(response.status):
raise Exception(response)
return response.result['data']['signature']
def rewrap_data(self,
ciphertext: str = '',
context: str = '',
nonce: str = '') -> str:
response = self.af.go_single(
self.rewrap_data_task(ciphertext=ciphertext,
context=context,
nonce=nonce))
if not is_success(response.status):
raise Exception(response)
return response.result['data']['batch_results'][0]['ciphertext']
def create_key(self,
key_type: enums.EncryptionKeyType = None,
convergent_encryption: bool = False,
derived: bool = False,
exportable: bool = False):
task_bundle = self.create_key_task(key_type, convergent_encryption,
derived, exportable)
response = self.af.go_single(task_bundle)
if not is_success(response.status):
raise Exception(response)
return response.result
def list_keys(self) -> t.Dict[str, 'TransitKey']:
response = self.af.go_single(self.list_keys_task())
if not is_success(response.status):
# do not raise if no keys present
if response.status == 404 and not response.result['errors']:
return {}
raise Exception(response)
key_instance_map = OrderedDict()
for key_name in response.result['data']['keys']:
key_instance_map[key_name] = TransitKey(self, key_name)
return key_instance_map
def decrypt_batch(
self,
ciphertext_data_bundle: t.List[str_dict__or__bytes_or_str],
encoding: str = None) -> t.List[str]:
response = self.af.go_single(
self.decrypt_batch_task(ciphertext_data_bundle))
if not is_success(response.status):
raise Exception(response)
results = []
for br in response.result['data']['batch_results']:
results.append(b64_decode(br['plaintext'], encoding=encoding))
return results
def encrypt_files(
self,
file_bundles_list: t.List[str_dict_or_str],
output_dir: str = '',
makedirs: bool = False,
do_encrypt_file_names: bool = False,
output_filename_template: str = '%(version)s_%(filename)s.vault'
) -> t.List[str]:
"""
:param do_encrypt_file_names: default for encrypt file names and encode encrypted data with base32
:param file_bundles_list:
[
{
'file': __file__,
'data_context': 'ct1',
'data_nonce': 'n1',
'name_context': 'ct2', # context should be set either in all the request blocks or in none
'name_nonce': 'n2',
'encrypted_file_name': True
},
]
:param output_dir: default output dir for encrypted files
:param makedirs: create output directory
:param output_filename_template: %(version)s_%(filename)s.vault
:return: absolute file paths of files encrypted, ['/path/1.vault',]
"""
response = self.af.go_single(
self.encrypt_files_task(
file_bundles_list,
do_encrypt_file_names=do_encrypt_file_names), )
if not is_success(response.status):
raise Exception(response)
encrypted_files_data = response.result['data'][
'batch_results'][:len(file_bundles_list)]
encrypted_file_names = response.result['data']['batch_results'][
len(file_bundles_list):]
if makedirs:
os.makedirs(output_dir, exist_ok=True)
return self.handle_encrypt_files(
file_bundles_list=file_bundles_list,
encrypted_files_data=encrypted_files_data,
encrypted_file_names=encrypted_file_names,
output_dir=output_dir,
makedirs=makedirs,
do_encrypt_file_names=do_encrypt_file_names,
output_filename_template=output_filename_template)
def mount(self,
backend_type: enums.SecretBackend,
mount_point: str = 'mount-point',
description: str = '',
config: dict = None):
response = self.af.go_single(
self.mount_task(backend_type, mount_point, description, config))
if not is_success(response.status):
raise Exception(response)
if backend_type == enums.SecretBackend.Transit:
from vault_mods.transit import Transit
return Transit(server_url=self.server_url,
api_version=self.api_version,
mount_point=mount_point,
loop=self.loop,
cafile=self.cafile,
token=self.token,
tcp_connector=self.get_tcp_connector(),
parent=self)
return response.result
def decrypt_files(self,
file_bundles_list: t.List[str_dict_or_str],
do_decrypt_file_names: bool = False,
output_dir: str = '',
makedirs: bool = False) -> t.List[str]:
response = self.af.go_single(
self.decrypt_files_task(file_bundles_list, do_decrypt_file_names))
if not is_success(response.status):
raise Exception(response)
decrypted_files_data = response.result['data'][
'batch_results'][:len(file_bundles_list)]
decrypted_file_names = response.result['data']['batch_results'][
len(file_bundles_list):]
if makedirs:
os.makedirs(output_dir, exist_ok=True)
decrypted_files = []
dfn = iter(decrypted_file_names) # decrypted file name iterator
for bundle, d_data in zip(file_bundles_list, decrypted_files_data):
abspath = os.path.abspath(bundle['file'])
version, filename = os.path.basename(abspath).split('_', 1)
filename = filename.split('.vault')[0]
dirname = os.path.dirname(abspath)
b_data = b64_decode(d_data['plaintext'])
if bundle.get('encrypted_file_name', do_decrypt_file_names):
filename = b64_decode(next(dfn)['plaintext'], 'utf8')
_output_dir = bundle.get('output_dir', output_dir) or dirname
if makedirs:
os.makedirs(_output_dir, exist_ok=True)
_file = os.path.join(_output_dir, filename)
with open(_file, 'wb') as f:
f.write(b_data)
decrypted_files.append(_file)
return decrypted_files
def list_mounts(self) -> dict:
response = self.af.go_single(self.list_mount_task())
if not is_success(response.status):
raise Exception(response)
return response.result['data']
def seal(self):
response = self.af.go_single(self.seal_task())
if not is_success(response.status):
raise Exception(response)
return response.result
def rotate_key(self) -> None:
response = self.af.go_single(self.rotate_key_task())
if not is_success(response.status):
raise Exception(response)
return response.result
def unseal(self, unseal_key: str):
response = self.af.go_single(self.unseal_task(unseal_key))
if not is_success(response.status):
raise Exception(response)
return response.result
def mount_read_config(self, mount_point: str):
response = self.af.go_single(self.mount_read_config_task(mount_point))
if not is_success(response.status):
raise Exception(response)
return response.result['data']
def unmount(self, mount_point: str):
response = self.af.go_single(self.unmount_task(mount_point))
if not is_success(response.status):
raise Exception(response)
return response.result
def read_key(self) -> KeyInfo:
response = self.af.go_single(self.read_key_task())
if not is_success(response.status):
raise Exception(response)
self.info = self.KeyInfo(**response.result['data'])
return self.info
