saltext.vault.utils.vault.client¶

Vault API client implementation

class saltext.vault.utils.vault.client.VaultClient(url, namespace=None, verify=None, session=None, connect_timeout=9.2, read_timeout=30, max_retries=5, backoff_factor=0.1, backoff_max=10.0, backoff_jitter=0.2, retry_post=False, respect_retry_after=True, retry_status=(412, 500, 502, 503, 504), retry_after_max=60)[source]¶

Unauthenticated client for the Vault API. Base class for authenticated client.

delete(endpoint, wrap=False, raise_error=True, add_headers=None)[source]¶: Wrapper for client.request(“DELETE”, …)

get(endpoint, wrap=False, raise_error=True, add_headers=None)[source]¶: Wrapper for client.request(“GET”, …)

list(endpoint, wrap=False, raise_error=True, add_headers=None)[source]¶: Wrapper for client.request(“LIST”, …) TODO: configuration to enable GET requests with query parameters for LIST?

post(endpoint, payload=None, wrap=False, raise_error=True, add_headers=None)[source]¶: Wrapper for client.request(“POST”, …) Vault considers POST and PUT to be synonymous.

patch(endpoint, payload, wrap=False, raise_error=True, add_headers=None)[source]¶: Wrapper for client.request(“PATCH”, …)

request(method, endpoint, payload=None, wrap=False, raise_error=True, add_headers=None, **kwargs)[source]¶: Issue a request against the Vault API. Returns boolean when no data was returned, otherwise the decoded json data or a VaultWrappedResponse object if wrapping was requested.

request_raw(method, endpoint, payload=None, wrap=False, add_headers=None, **kwargs)[source]¶: Issue a request against the Vault API. Returns the raw response object.

unwrap(wrapped, expected_creation_path=None)[source]¶

Unwraps the data associated with a wrapping token.

wrapped: Wrapping token to unwrap
expected_creation_path: Regex expression or list of expressions that should fully match the wrapping token creation path. At least one match is required. Defaults to None, which skips the check.

Note

This check prevents tampering with wrapping tokens, which are valid for one request only. Usually, if an attacker sniffs a wrapping token, there will be two unwrapping requests, causing an audit warning. If the attacker can issue a new wrapping token and insert it into the response instead, this warning would be silenced. Assuming they do not possess the permissions to issue a wrapping token from the correct endpoint, checking the creation path makes this kind of attack obvious.

wrap_info(wrapped)[source]¶: Lookup wrapping token meta information.

token_lookup(token=None, accessor=None, raw=False)[source]¶

Lookup token meta information.

token: The token to look up or to use to look up the accessor. Required.
accessor: The accessor to use to query the token meta information.
raw: Return the raw response object instead of response data. Also disables status code checking.

token_valid(valid_for=0, remote=True)[source]¶: This client does not have a token, hence it’s always invalid.

get_config()[source]¶: Returns Vault server configuration used by this client.

class saltext.vault.utils.vault.client.AuthenticatedVaultClient(auth, url, **kwargs)[source]¶

Authenticated client for the Vault API. This should be used for most operations.

token_valid(valid_for=0, remote=True)[source]¶

Check whether this client’s authentication information is still valid.

remote: Check with the remote Vault server as well. This consumes a token use. Defaults to true.

token_lookup(token=None, accessor=None, raw=False)[source]¶

Lookup token meta information.

token: The token to look up. If neither token nor accessor are specified, looks up the current token in use by this client.
accessor: The accessor of the token to query the meta information for.
raw: Return the raw response object instead of response data. Also disables status code checking.

token_renew(increment=None, token=None, accessor=None)[source]¶

Renew a token.

increment: Request the token to be valid for this amount of time from the current point of time onwards. Can also be used to reduce the validity period. The server might not honor this increment. Can be an integer (seconds) or a time string like 1h. Optional.
token: The token that should be renewed. Optional. If token and accessor are unset, renews the token currently in use by this client.
accessor: The accessor of the token that should be renewed. Optional.

token_revoke(delta=1, token=None, accessor=None)[source]¶

Revoke a token by setting its TTL to 1s.

delta: The time in seconds to request revocation after. Defaults to 1s.
token: The token that should be revoked. Optional. If token and accessor are unset, revokes the token currently in use by this client.
accessor: The accessor of the token that should be revoked. Optional.

request_raw(method, endpoint, payload=None, wrap=False, add_headers=None, is_unauthd=False, **kwargs)[source]¶: Issue an authenticated request against the Vault API. Returns the raw response object.

class saltext.vault.utils.vault.client.VaultAPIAdapter(*args, verify=None, connect_timeout=None, read_timeout=None, **kwargs)[source]¶

An adapter that

allows to restrict requests CA chain validation to a single root certificate without writing it to disk.

sets default values for timeout settings without having to specify it in every request.

init_poolmanager(connections, maxsize, block=False, **pool_kwargs)[source]¶

Initializes a urllib3 PoolManager.

This method should not be called from user code, and is only exposed for use when subclassing the HTTPAdapter.

Parameters:

connections – The number of urllib3 connection pools to cache.
maxsize – The maximum number of connections to save in the pool.
block – Block when no free connections are available.
pool_kwargs – Extra keyword arguments used to initialize the Pool Manager.

send(request, stream=False, timeout=None, verify=True, cert=None, proxies=None)[source]¶: Wrap sending the request to ensure verify and timeout is set as specified on every request. timeout can be overridden per request.

class saltext.vault.utils.vault.client.VaultRetry(*args, backoff_jitter=0.0, backoff_max=120, retry_after_max=60, **kwargs)[source]¶

The Vault API responds with HTTP 429 when rate limits have been hit. We want to always retry 429, regardless of the HTTP verb and the presence of the Retry-After header, thus we need to subclass the retry configuration class. For HTTP error responses, we do not want to retry immediately if the header was not set.

We override the default exponential power-of-2 algorithm for calculating the backoff time with a Fibonacci one because we expect a relatively quick turnaround.

__init__(*args, backoff_jitter=0.0, backoff_max=120, retry_after_max=60, **kwargs)[source]¶: For urllib3<2, backport backoff_max and backoff_jitter. Also, allow limiting the value returned by Retry-After by specifying retry_after_max.

is_retry(method, status_code, has_retry_after=False)[source]¶: HTTP 429 is always retryable (even for POST/PATCH), otherwise fall back to the configuration.

get_backoff_time()[source]¶: When we’re retrying HTTP error responses, ensure we don’t execute the first retry immediately. Also overrides the default 2**n algorithm with one based on the Fibonacci sequence. On urllib3<2, this also backports backoff_jitter and backoff_max.

get_retry_after(response)[source]¶: The default implementation sleeps for as long as requested by the Retry-After header. We want to limit that somewhat to avoid sleeping until the end of the universe.

new(**kw)[source]¶: Since we backport some params and introduce a new one, ensure all requests use the defined parameters, not the default ones.