def export_key(self, key_type: enums.ExportKeyType, version: int = 0) -> dict: response = self.af.go_single(self.export_key_task(key_type, version)) if not is_success(response.status): raise Exception(response) return response.result['data']
def unseal_many(self, keys: t.List[str]) -> t.List: responses = self.go_tasks(*[self.unseal_task(_key) for _key in keys]).values() if not all( is_success(sub_response.status) for sub_response in responses): raise Exception(responses) return [sub_response.result for sub_response in responses]
def rewrap_data_batch( self, batch: t.List[str_dict__or__bytes_or_str]) -> t.List[str_dict]: response = self.af.go_single(self.rewrap_b64_task(batch_input=batch)) if not is_success(response.status): raise Exception(response) return response.result['data']['batch_results']
def rewrap_encrypted_files( self, file_bundles_list: t.List[str_dict], output_dir: str = '', makedirs: bool = False, do_rewrap_file_names: bool = False, output_filename_template: str = '%(version)s_%(filename)s.vault'): response = self.af.go_single( self.rewrap_encrypted_files_task(file_bundles_list, do_rewrap_file_names)) if not is_success(response.status): raise Exception(response) batch_results = response.result['data']['batch_results'] encrypted_files_data = batch_results[:len(file_bundles_list)] encrypted_file_names = batch_results[len(file_bundles_list):] if makedirs: os.makedirs(output_dir, exist_ok=True) # same as encrypt return self.handle_encrypt_files( file_bundles_list=file_bundles_list, encrypted_files_data=encrypted_files_data, encrypted_file_names=encrypted_file_names, output_dir=output_dir, makedirs=makedirs, do_encrypt_file_names=do_rewrap_file_names, output_filename_template=output_filename_template, rewrap=True)
def encrypt_batch( self, plain_data_bundle: t.List[str_dict__or__bytes_or_str] ) -> t.List[str_dict]: response = self.af.go_single( self.encrypt_batch_task(plain_data_bundle)) if not is_success(response.status): raise Exception(response) return response.result['data']['batch_results']
def config_key(self, min_decryption_version: int = None, deletion_allowed: bool = None): response = self.af.go_single( self.config_key_task(min_decryption_version, deletion_allowed)) if not is_success(response.status): raise Exception(response) return response.result
def encrypt_data(self, plain_text: str_or_bytes, context: str = '', nonce: str = ''): response = self.af.go_single( self.encrypt_data_task(plain_text, context, nonce)) if not is_success(response.status): raise Exception(response) return response.result['data']['ciphertext']
def mount_write_config(self, mount_point: str, default_lease_ttl: str = '0', max_lease_ttl: str = '0') -> None: response = self.af.go_single( self.mount_write_config_task(mount_point, default_lease_ttl, max_lease_ttl)) if not is_success(response.status): raise Exception(response) return response.result
def encrypt_b64(self, b64_plain_text: str = '', b64_context: str = '', b64_nonce: str = '', batch_input: t.List[t.Dict[str, str]] = None) -> dict: response = self.af.go_single( self.encrypt_b64_task(b64_plain_text, b64_context, b64_nonce, batch_input)) if not is_success(response.status): raise Exception(response) return response.result
def rewrap_b64(self, ciphertext: str = '', b64_context: str = '', b64_nonce: str = '', batch_input: t.List[t.Dict[str, str]] = None): response = self.af.go_single( self.rewrap_b64_task(ciphertext, b64_context, b64_nonce, batch_input)) if not is_success(response.status): raise Exception(response) return response.result
def sign( self, input_data: str_or_bytes, output_format: enums.DigestOutputFormat = enums.DigestOutputFormat. HEX, algorithm: enums.DigestAlgorithm = enums.DigestAlgorithm.SHA2_256): response = self.af.go_single( self.sign_task(input_data, output_format, algorithm)) if not is_success(response.status): raise Exception(response) return response.result['data']['signature']
def rewrap_data(self, ciphertext: str = '', context: str = '', nonce: str = '') -> str: response = self.af.go_single( self.rewrap_data_task(ciphertext=ciphertext, context=context, nonce=nonce)) if not is_success(response.status): raise Exception(response) return response.result['data']['batch_results'][0]['ciphertext']
def create_key(self, key_type: enums.EncryptionKeyType = None, convergent_encryption: bool = False, derived: bool = False, exportable: bool = False): task_bundle = self.create_key_task(key_type, convergent_encryption, derived, exportable) response = self.af.go_single(task_bundle) if not is_success(response.status): raise Exception(response) return response.result
def list_keys(self) -> t.Dict[str, 'TransitKey']: response = self.af.go_single(self.list_keys_task()) if not is_success(response.status): # do not raise if no keys present if response.status == 404 and not response.result['errors']: return {} raise Exception(response) key_instance_map = OrderedDict() for key_name in response.result['data']['keys']: key_instance_map[key_name] = TransitKey(self, key_name) return key_instance_map
def decrypt_batch( self, ciphertext_data_bundle: t.List[str_dict__or__bytes_or_str], encoding: str = None) -> t.List[str]: response = self.af.go_single( self.decrypt_batch_task(ciphertext_data_bundle)) if not is_success(response.status): raise Exception(response) results = [] for br in response.result['data']['batch_results']: results.append(b64_decode(br['plaintext'], encoding=encoding)) return results
def encrypt_files( self, file_bundles_list: t.List[str_dict_or_str], output_dir: str = '', makedirs: bool = False, do_encrypt_file_names: bool = False, output_filename_template: str = '%(version)s_%(filename)s.vault' ) -> t.List[str]: """ :param do_encrypt_file_names: default for encrypt file names and encode encrypted data with base32 :param file_bundles_list: [ { 'file': __file__, 'data_context': 'ct1', 'data_nonce': 'n1', 'name_context': 'ct2', # context should be set either in all the request blocks or in none 'name_nonce': 'n2', 'encrypted_file_name': True }, ] :param output_dir: default output dir for encrypted files :param makedirs: create output directory :param output_filename_template: %(version)s_%(filename)s.vault :return: absolute file paths of files encrypted, ['/path/1.vault',] """ response = self.af.go_single( self.encrypt_files_task( file_bundles_list, do_encrypt_file_names=do_encrypt_file_names), ) if not is_success(response.status): raise Exception(response) encrypted_files_data = response.result['data'][ 'batch_results'][:len(file_bundles_list)] encrypted_file_names = response.result['data']['batch_results'][ len(file_bundles_list):] if makedirs: os.makedirs(output_dir, exist_ok=True) return self.handle_encrypt_files( file_bundles_list=file_bundles_list, encrypted_files_data=encrypted_files_data, encrypted_file_names=encrypted_file_names, output_dir=output_dir, makedirs=makedirs, do_encrypt_file_names=do_encrypt_file_names, output_filename_template=output_filename_template)
def mount(self, backend_type: enums.SecretBackend, mount_point: str = 'mount-point', description: str = '', config: dict = None): response = self.af.go_single( self.mount_task(backend_type, mount_point, description, config)) if not is_success(response.status): raise Exception(response) if backend_type == enums.SecretBackend.Transit: from vault_mods.transit import Transit return Transit(server_url=self.server_url, api_version=self.api_version, mount_point=mount_point, loop=self.loop, cafile=self.cafile, token=self.token, tcp_connector=self.get_tcp_connector(), parent=self) return response.result
def decrypt_files(self, file_bundles_list: t.List[str_dict_or_str], do_decrypt_file_names: bool = False, output_dir: str = '', makedirs: bool = False) -> t.List[str]: response = self.af.go_single( self.decrypt_files_task(file_bundles_list, do_decrypt_file_names)) if not is_success(response.status): raise Exception(response) decrypted_files_data = response.result['data'][ 'batch_results'][:len(file_bundles_list)] decrypted_file_names = response.result['data']['batch_results'][ len(file_bundles_list):] if makedirs: os.makedirs(output_dir, exist_ok=True) decrypted_files = [] dfn = iter(decrypted_file_names) # decrypted file name iterator for bundle, d_data in zip(file_bundles_list, decrypted_files_data): abspath = os.path.abspath(bundle['file']) version, filename = os.path.basename(abspath).split('_', 1) filename = filename.split('.vault')[0] dirname = os.path.dirname(abspath) b_data = b64_decode(d_data['plaintext']) if bundle.get('encrypted_file_name', do_decrypt_file_names): filename = b64_decode(next(dfn)['plaintext'], 'utf8') _output_dir = bundle.get('output_dir', output_dir) or dirname if makedirs: os.makedirs(_output_dir, exist_ok=True) _file = os.path.join(_output_dir, filename) with open(_file, 'wb') as f: f.write(b_data) decrypted_files.append(_file) return decrypted_files
def list_mounts(self) -> dict: response = self.af.go_single(self.list_mount_task()) if not is_success(response.status): raise Exception(response) return response.result['data']
def seal(self): response = self.af.go_single(self.seal_task()) if not is_success(response.status): raise Exception(response) return response.result
def rotate_key(self) -> None: response = self.af.go_single(self.rotate_key_task()) if not is_success(response.status): raise Exception(response) return response.result
def unseal(self, unseal_key: str): response = self.af.go_single(self.unseal_task(unseal_key)) if not is_success(response.status): raise Exception(response) return response.result
def mount_read_config(self, mount_point: str): response = self.af.go_single(self.mount_read_config_task(mount_point)) if not is_success(response.status): raise Exception(response) return response.result['data']
def unmount(self, mount_point: str): response = self.af.go_single(self.unmount_task(mount_point)) if not is_success(response.status): raise Exception(response) return response.result
def read_key(self) -> KeyInfo: response = self.af.go_single(self.read_key_task()) if not is_success(response.status): raise Exception(response) self.info = self.KeyInfo(**response.result['data']) return self.info