def config_access(self, address, token): """Configures the access information for Consul. This is a root protected endpoint. Parameters: address (str): The address of the Consul instance, provided as scheme://host:port token (str): The Consul ACL token to use. Must be a management type token. Results: bool """ method = 'POST' path = self.path('config/access') scheme = None if address.startswith('https://'): scheme, address = 'https', address[8:] elif address.startswith('http://'): scheme, address = 'http', address[7:] data = {'address': address, 'token': token, 'scheme': scheme} response = yield from self.req_handler(method, path, json=data) return ok(response)
def config_connection(self, *, dsn): """Configure the connection string to talk to MySQL This path configures the connection string used to connect to MySQL. The value of the string is a Data Source Name (DSN). An example is using ``username:password@protocol(address)/dbname?param=value``. For example, RDS may look like:: id:password@tcp(your-amazonaws-uri.com:3306)/dbname When configuring the connection string, the backend will verify its validity. This is a root protected endpoint. Parameters: dsn (str): The MySQL DSN Returns: bool """ method = 'POST' path = self.path('config/connection') data = {'value': dsn} response = yield from self.req_handler(method, path, json=data) return ok(response)
def configure(self, url, userattr, userdn, groupdn): """Configure the LDAP server to connect to. This endpoint allows you to configure the LDAP server to connect to, and give basic information of the schema of that server. The LDAP URL can use either the "ldap://" or "ldaps://" schema. In the former case, an unencrypted connection will be done, with default port 389; in the latter case, a SSL connection will be done, with default port 636. Parameters: url (str): ldap URL to connect to (default: ldap://127.0.0.1) userattr (str): Attribute used for users (default: cn) userdn (str): LDAP domain to use for users (eg: ou=People,dc=example,dc=org) groupdn (str): LDAP domain to use for groups (eg: ou=Groups,dc=example,dc=org) Returns: bool """ method = 'POST' path = self.path('config') data = {'url': url, 'userattr': userattr, 'userdn': userdn, 'groupdn': groupdn} response = yield from self.req_handler(method, path, json=data) return ok(response)
def write_role(self, name, *, policy): """Write named role. This path allows you to read and write roles that are used to create access keys. These roles have IAM policies that map directly to the route to read the access keys. For example, if the backend is mounted at "aws" and you create a role at "aws/roles/deploy" then a user could request access credentials at "aws/creds/deploy". The policies written are normal IAM policies. Vault will not attempt to parse these except to validate that they're basic JSON. To validate the keys, attempt to read an access key after writing the policy. Parameters: name (str): The role name. policy (obj): The IAM policy. Returns: bool """ method = 'POST' path = self.path('roles', name) data = {'policy': policy} response = yield from self.req_handler(method, path, json=data) return ok(response)
def config_lease(self, *, lease, lease_max): """Configures the lease settings for generated credentials. This configures the default lease information used for credentials generated by this backend. The lease specifies the duration that a credential will be valid for, as well as the maximum session for a set of credentials. The format for the lease is "1h" or integer and then unit. The longest unit is hour. Parameters: lease (str): The lease value provided as a string duration with time suffix. Hour is the largest suffix. lease_max (str): The maximum lease value provided as a string duration with time suffix. Hour is the largest suffix. Returns: bool """ method = 'POST' path = self.path('config/lease') data = { 'lease': format_duration(lease), 'lease_max': format_duration(lease_max) } response = yield from self.req_handler(method, path, json=data) return ok(response)
def config_lease(self, *, lease, lease_max): """Configures the lease settings for generated credentials. This configures the default lease information used for credentials generated by this backend. The lease specifies the duration that a credential will be valid for, as well as the maximum session for a set of credentials. The format for the lease is "1h" or integer and then unit. The longest unit is hour. Parameters: lease (str): The lease value provided as a string duration with time suffix. Hour is the largest suffix. lease_max (str): The maximum lease value provided as a string duration with time suffix. Hour is the largest suffix. Returns: bool """ method = 'POST' path = self.path('config/lease') data = {'lease': format_duration(lease), 'lease_max': format_duration(lease_max)} response = yield from self.req_handler(method, path, json=data) return ok(response)
def write_cert(self, name, *, certificate, display_name=None, policies=None, lease=None): """Write certificate Parameters: name (str): The name of the certificate certificate (str): The public certificate that should be trusted. Must be x509 PEM encoded display_name (str): The display name to use for clients using this certificate policies (list): The policies lease (str): Lease time in seconds. Defaults to 1 hour """ method = 'POST' path = self.path('certs', name) data = { 'policies': format_policies(policies), 'display_name': display_name, 'certificate': certificate, 'lease': format_duration(lease) } response = yield from self.req_handler(method, path, json=data) return ok(response)
def delete_role(self, name): """Deletes the role definition. Parameters: name (str): The role name """ method = 'DELETE' path = self.path('roles', name) response = yield from self.req_handler(method, path) return ok(response)
def disable(self, name): """Disable the auth backend at the given mount point Parameters: name (str): The name of mount """ method = 'DELETE' path = self.path(name) response = yield from self.req_handler(method, path) return ok(response)
def disable(self): """Disable backend Returns: bool """ method = 'DELETE' path = '/sys/auth/%s' % self.name response = yield from self.req_handler(method, path) return ok(response)
def delete_cert(self, name): """Delete certificate Parameters: name (str): The name of the certificate """ method = 'DELETE' path = self.path('certs', name) response = yield from self.req_handler(method, path) return ok(response)
def seal(self): """Seals the Vault. Returns: bool: Vault has been sealed """ method = 'PUT' path = '/sys/seal' response = yield from self.req_handler(method, path) return ok(response)
def delete_app(self, app): """Delete app. Parameters: app (str): The application ID Returns: bool """ app = extract_id(app) method = 'DELETE' path = self.path('map', 'app-id', app) response = yield from self.req_handler(method, path) return ok(response)
def unmount(self): """Unmount the secret backend """ method = 'DELETE' path = '/sys/mounts/%s' % self.name try: response = yield from self.req_handler(method, path) if ok(response): return except HTTPError as error: raise MountError(*error.errors) raise MountError
def disable(self, name): """Disable the given audit backend. Parameters: name (str): The audit name Returns: bool """ method = 'DELETE' path = self.path(name) response = yield from self.req_handler(method, path) return ok(response)
def revoke_prefix(self, path_prefix): """Revoke all secrets generated under a given prefix immediately. Parameters: path_prefix (str): The path prefix Returns: bool """ method = 'PUT' path = '/sys/revoke-prefix/%s' % path_prefix response = yield from self.req_handler(method, path) return ok(response)
def delete(self, key): """Ensure that key is absent with given path. Parameters: path (str): The key name Returns: bool: The key does not exists in storage """ method = 'DELETE' path = self.path(key) response = yield from self.req_handler(method, path) return ok(response)
def revoke(self, lease_id): """Revoke a secret immediately. Parameters: lease_id (str): The lease id Returns: bool """ method = 'PUT' path = '/sys/revoke/%s' % lease_id response = yield from self.req_handler(method, path) return ok(response)
def delete_user(self, user): """Delete user. Parameters: user (str): The user name Returns: bool """ user = extract_id(user) method = 'DELETE' path = self.path('map', 'user-id', user) response = yield from self.req_handler(method, path) return ok(response)
def delete_role(self, name): """Delete a named role. Parameters: name (str): The role name. Returns: bool """ method = 'DELETE' path = self.path('roles', name) response = yield from self.req_handler(method, path) return ok(response)
def create(self, username, password, policies=None): """The above creates a new user. Parameters: username (str): The username password (str): The password policies (list): The policies associated with the user """ method = 'POST' path = self.path('users', username) data = {'password': password, 'policies': policies} response = yield from self.req_handler(method, path, json=data) return ok(response)
def revoke_prefix(self, prefix): """Revokes all tokens generated at a given prefix, along with child tokens, and all secrets generated using those tokens. Uses include revoking all tokens generated by a credential backend during a suspected compromise. Parameters: token (str): The token ID """ method = 'POST' path = self.token_path('revoke-prefix', prefix) response = yield from self.req_handler(method, path) return ok(response)
def enable(self, description=None): """Enable backend Parameters: description (str): A human-friendly description of the auth backend Returns: bool """ method = 'POST' path = '/sys/auth/%s' % self.name data = {'type': self.type, 'description': description} response = yield from self.req_handler(method, path, json=data) return ok(response)
def configure(self, *, organization): """Configure github organization. Parameters: organization (str): The organization name a user must be a part of to authenticate Returns: bool """ method = 'POST' path = self.path('config') data = {'organization': organization} response = yield from self.req_handler(method, path, json=data) return ok(response)
def write(self, key, value): """Update the value of the key at the given path. Parameters: path (str): The key name value (obj): The value of the key. Returns: bool: The key has been written """ method = 'PUT' path = self.path(key) data = {'value': json.dumps(value)} response = yield from self.req_handler(method, path, json=data) return ok(response)
def write_role(self, name, sql): """Creates or updates the role definition. Parameters: sql (str): The SQL statements executed to create and configure the role. Must be semi-colon separated. The '{{name}}', '{{password}}' and '{{expiration}}' values will be substituted. """ method = 'POST' path = self.path('roles', name) data = {'sql': sql} response = yield from self.req_handler(method, path, json=data) return ok(response)
def delete_key(self, name): """Deletes a named encryption key. This is a root protected endpoint. All data encrypted with the named key will no longer be decryptable. Parameters: name (str): The transit key Returns: bool """ method = 'DELETE' path = self.path('keys', name) response = yield from self.req_handler(method, path) return ok(response)
def write_team(self, name, policies): """Configure github team. Parameters: name (str): The team name policies (list): The team policies Returns: bool """ method = 'POST' path = self.path('map', 'teams', name) policies = format_policies(policies) data = {'value': policies} response = yield from self.req_handler(method, path, json=data) return ok(response)
def write_role(self, name, *, policy, lease=None): """Creates or updates the Consul role definition. Parameters: name (str): The role name policy (str): The Consul ACL policy. Returns: bool """ method = 'POST' path = self.path('roles', name) data = {'policy': base64_encode(policy), 'lease': format_duration(lease)} response = yield from self.req_handler(method, path, json=data) return ok(response)
def config_connection(self, *, dsn): """Configures the connection string used to communicate with PostgreSQL. This is a root protected endpoint. Parameters: dsn (str): The PostgreSQL connection URL or PG style string. e.g. "user=foo host=bar" """ method = 'POST' path = self.path('config/connection') data = {'value': dsn} response = yield from self.req_handler(method, path, json=data) return ok(response)
def unmount(self, name): """Unmount a secret backend Parameters: name (str): The name of mounted backend Returns: bool """ name = extract_name(name) method = 'DELETE' path = self.path(name) try: response = yield from self.req_handler(method, path) return ok(response) except InternalServerError: return False
def delete_group(self, name): """Delete group. Deleting group will not revoke auth for prior authenticated users in that group. To do this, do a revoke on "login/<username>" for the usernames you want revoked. Parameters: name (str): Name of the LDAP group Returns: bool """ method = 'DELETE' path = self.path('groups', name) response = yield from self.req_handler(method, path) return ok(response)
def write(self, key, values): """Update the value of the key at the given path. Parameters: key (str): The key to read values (dict): The data to write Returns: bool: The key has been written """ if not isinstance(values, dict): raise ValueError('values must be a dict') method = 'POST' path = self.path(key) data = values response = yield from self.req_handler(method, path, json=data) return ok(response)
def write_key(self, name, *, derived=False): """Creates a new named encryption key. This is a root protected endpoint. Parameters: name (str): The transit key derived (bool): Enables key derivation mode. This allows for per-transaction unique keys Returns: bool """ method = 'POST' data = {'derived': derived} path = self.path('keys', name) response = yield from self.req_handler(method, path, json=data) return ok(response)
def delete(self, name): """Delete the rules with the given name. This will immediately affect all associated users. When a user is associated with a policy that doesn't exist, it is identical to not being associated with that policy. Parameters: name (str): The policy name Returns: bool: Policy does not exists in storage """ name = extract_name(name) method = 'DELETE' path = self.path(name) response = yield from self.req_handler(method, path) return ok(response)
def write_user(self, user, app, cidr_block=None): """Write user. Parameters: user (str): The user name app (str): The application ID cidr_block (str): The CIDR block to limit Returns: bool """ app = extract_id(app) user = extract_name(user) method = 'POST' path = self.path('map', 'user-id', user) data = {'value': app, 'cidr_block': cidr_block} response = yield from self.req_handler(method, path, json=data) return ok(response)
def remount(self, dest): """Move the secret backend Parameters: dest (str): The new endpoint """ dest = extract_name(dest) method = 'POST' path = '/sys/remount' data = {'from': self.name, 'to': dest} try: response = yield from self.req_handler(method, path, json=data) if ok(response): self.name = dest return except HTTPError as error: raise MountError(*error.errors) raise MountError
def write_app(self, app, *, policies=None, display_name=None): """Write app. Parameters: app (str): The application ID policies (list): The policies display_name (str): The name to be displayed Returns: bool """ app = extract_id(app) method = 'POST' path = self.path('map', 'app-id', app) policies = format_policies(policies) data = {'display_name': display_name or app, 'value': policies} response = yield from self.req_handler(method, path, json=data) return ok(response)
def write(self, name, rules): """Sets rules to the given name. Once a policy is updated, it takes effect immediately to all associated users. Parameters: name (str): The policy name rules (dict): The rules. Returns: bool: Rules has been written """ name = extract_name(name) rules = getattr(rules, 'rules', rules) method = 'PUT' path = self.path(name) data = {'rules': json.dumps({'path': rules})} response = yield from self.req_handler(method, path, json=data) return ok(response)
def config_lease(self, lease, lease_max): """Configures the lease settings for generated credentials. If not configured, leases default to 1 hour. This is a root protected endpoint. Parameters: lease (str): The lease value provided as a string duration with time suffix. Hour is the largest suffix. lease_max (str): The maximum lease value provided as a string duration with time suffix. Hour is the largest suffix. """ method = 'POST' path = self.path('config/lease') data = {'lease': format_duration(lease), 'lease_max': format_duration(lease_max)} response = yield from self.req_handler(method, path, json=data) return ok(response)
def config_root(self, *, access_key, secret_key, region=None): """Configures the root IAM credentials used. Before doing anything, the AWS backend needs credentials that are able to manage IAM policies, users, access keys, etc. This endpoint is used to configure those credentials. They don't necessarilly need to be root keys as long as they have permission to manage IAM:: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1432042359000", "Effect": "Allow", "Action": [ "iam:CreateUser", "iam:PutUserPolicy", "iam:CreateAccessKey" ], "Resource": [ "*" ] } ] } Parameters: access_key (str): Access key with permission to create new keys secret_key (str): Secret key with permission to create new keys region (str): The region for API calls Returns: bool """ method = 'POST' path = self.path('config/root') data = {'access_key': access_key, 'secret_key': secret_key, 'region': region} response = yield from self.req_handler(method, path, json=data) return ok(response)
def mount(self, *, name=None, description=None): """Mount a new secret backend Parameters: name (str): The new endpoint description (str): A human-friendly description of the mount """ name = name or self.name method = 'POST' path = '/sys/mounts/%s' % name data = {'type': self.type, 'description': description} try: response = yield from self.req_handler(method, path, json=data) if ok(response): self.name = name return except HTTPError as error: raise MountError(*error.errors) raise MountError