saltext.vault.utils.vault.client

Vault API client implementation

class saltext.vault.utils.vault.client.VaultClient(url, namespace=None, verify=None, session=None)[source]

Unauthenticated client for the Vault API. Base class for authenticated client.

delete(endpoint, wrap=False, raise_error=True, add_headers=None)[source]

Wrapper for client.request(“DELETE”, …)

get(endpoint, wrap=False, raise_error=True, add_headers=None)[source]

Wrapper for client.request(“GET”, …)

list(endpoint, wrap=False, raise_error=True, add_headers=None)[source]

Wrapper for client.request(“LIST”, …) TODO: configuration to enable GET requests with query parameters for LIST?

post(endpoint, payload=None, wrap=False, raise_error=True, add_headers=None)[source]

Wrapper for client.request(“POST”, …) Vault considers POST and PUT to be synonymous.

patch(endpoint, payload, wrap=False, raise_error=True, add_headers=None)[source]

Wrapper for client.request(“PATCH”, …)

request(method, endpoint, payload=None, wrap=False, raise_error=True, add_headers=None, **kwargs)[source]

Issue a request against the Vault API. Returns boolean when no data was returned, otherwise the decoded json data or a VaultWrappedResponse object if wrapping was requested.

request_raw(method, endpoint, payload=None, wrap=False, add_headers=None, **kwargs)[source]

Issue a request against the Vault API. Returns the raw response object.

unwrap(wrapped, expected_creation_path=None)[source]

Unwraps the data associated with a wrapping token.

wrapped

Wrapping token to unwrap

expected_creation_path

Regex expression or list of expressions that should fully match the wrapping token creation path. At least one match is required. Defaults to None, which skips the check.

Note

This check prevents tampering with wrapping tokens, which are valid for one request only. Usually, if an attacker sniffs a wrapping token, there will be two unwrapping requests, causing an audit warning. If the attacker can issue a new wrapping token and insert it into the response instead, this warning would be silenced. Assuming they do not possess the permissions to issue a wrapping token from the correct endpoint, checking the creation path makes this kind of attack obvious.

wrap_info(wrapped)[source]

Lookup wrapping token meta information.

token_lookup(token=None, accessor=None, raw=False)[source]

Lookup token meta information.

token

The token to look up or to use to look up the accessor. Required.

accessor

The accessor to use to query the token meta information.

raw

Return the raw response object instead of response data. Also disables status code checking.

get_config()[source]

Returns Vault server configuration used by this client.

class saltext.vault.utils.vault.client.AuthenticatedVaultClient(auth, url, **kwargs)[source]

Authenticated client for the Vault API. This should be used for most operations.

token_valid(valid_for=0, remote=True)[source]

Check whether this client’s authentication information is still valid.

remote

Check with the remote Vault server as well. This consumes a token use. Defaults to true.

token_lookup(token=None, accessor=None, raw=False)[source]

Lookup token meta information.

token

The token to look up. If neither token nor accessor are specified, looks up the current token in use by this client.

accessor

The accessor of the token to query the meta information for.

raw

Return the raw response object instead of response data. Also disables status code checking.

token_renew(increment=None, token=None, accessor=None)[source]

Renew a token.

increment

Request the token to be valid for this amount of time from the current point of time onwards. Can also be used to reduce the validity period. The server might not honor this increment. Can be an integer (seconds) or a time string like 1h. Optional.

token

The token that should be renewed. Optional. If token and accessor are unset, renews the token currently in use by this client.

accessor

The accessor of the token that should be renewed. Optional.

token_revoke(delta=1, token=None, accessor=None)[source]

Revoke a token by setting its TTL to 1s.

delta

The time in seconds to request revocation after. Defaults to 1s.

token

The token that should be revoked. Optional. If token and accessor are unset, revokes the token currently in use by this client.

accessor

The accessor of the token that should be revoked. Optional.

request_raw(method, endpoint, payload=None, wrap=False, add_headers=None, is_unauthd=False, **kwargs)[source]

Issue an authenticated request against the Vault API. Returns the raw response object.

class saltext.vault.utils.vault.client.CACertHTTPSAdapter(ca_cert_data, *args, **kwargs)[source]

Allows to restrict requests CA chain validation to a single root certificate without writing it to disk.

init_poolmanager(connections, maxsize, block=False, **pool_kwargs)[source]

Initializes a urllib3 PoolManager.

This method should not be called from user code, and is only exposed for use when subclassing the HTTPAdapter.

Parameters:

  • connections – The number of urllib3 connection pools to cache.

  • maxsize – The maximum number of connections to save in the pool.

  • block – Block when no free connections are available.

  • pool_kwargs – Extra keyword arguments used to initialize the Pool Manager.