saltext.vault.utils.vault.leases¶

Models for Vault leases

class saltext.vault.utils.vault.leases.DurationMixin(renewable=False, duration=0, creation_time=None, expire_time=None, **kwargs)[source]¶

Mixin that handles expiration with time.

is_renewable()[source]¶: Checks whether the lease is renewable

is_valid_for(valid_for=0, blur=0)[source]¶

Checks whether the entity is valid

valid_for: Check whether the entity will still be valid in the future. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.
blur: Allow undercutting valid_for for this amount of seconds. Defaults to 0.

property ttl_left¶: Added in version 1.1.0.

Return the time in seconds until the lease expires.

class saltext.vault.utils.vault.leases.UseCountMixin(num_uses=0, use_count=0, **kwargs)[source]¶

Mixin that handles expiration with number of uses.

used()[source]¶: Increment the use counter by one.

has_uses_left(uses=1)[source]¶: Check whether this entity has uses left.

class saltext.vault.utils.vault.leases.DropInitKwargsMixin(*args, **kwargs)[source]¶: Mixin that breaks the chain of passing unhandled kwargs up the MRO.

class saltext.vault.utils.vault.leases.AccessorMixin(accessor=None, wrapping_accessor=None, **kwargs)[source]¶: Mixin that manages accessor information relevant for tokens/SecretIDs.

class saltext.vault.utils.vault.leases.BaseLease(lease_id, **kwargs)[source]¶

Base class for leases that expire with time.

with_renewed(**kwargs)[source]¶: Partially update the contained data after lease renewal.

to_dict()[source]¶: Return a dict of all contained attributes.

class saltext.vault.utils.vault.leases.VaultLease(lease_id, data, min_ttl=None, renew_increment=None, revoke_delay=None, meta=None, **kwargs)[source]¶

Data object representing a Vault lease.

Optional parameters in addition to the required``lease_id`` and data:

min_ttl: When requesting this lease from the LeaseStore, ensure it is valid for at least this amount of time, even if the passed valid_for parameter is less.

Added in version 1.1.0.
renew_increment: When renewing this lease, instead of the lease’s default TTL, default to this increment.

Added in version 1.1.0.
revoke_delay: When revoking this lease, instead of the default value of 60, default to this amount of time before having the Vault server revoke it.

Added in version 1.1.0.
meta: Cache arbitrary metadata together with the lease. It will be included in expiry events.

Added in version 1.1.0.

is_valid_for(valid_for=None, blur=0)[source]¶

Checks whether the lease is valid.

valid_for: Check whether the entity will still be valid in the future. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to the minimum TTL that was set on the lease when creating it or 0.
blur: Allow undercutting valid_for for this amount of seconds. Defaults to 0.

class saltext.vault.utils.vault.leases.VaultToken(**kwargs)[source]¶

Data object representing an authentication token

is_valid(valid_for=0, uses=1)[source]¶

Checks whether the token is valid for an amount of time and number of uses.

valid_for: Check whether the token will still be valid in the future. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.
uses: Check whether the token has at least this number of uses left. Defaults to 1.

is_renewable()[source]¶: Check whether the token is renewable, which requires it to be currently valid for at least two uses and renewable.

payload()[source]¶: Return the payload to use for POST requests using this token.

serialize_for_minion()[source]¶: Serialize all necessary data to recreate this object into a dict that can be sent to a minion.

class saltext.vault.utils.vault.leases.VaultSecretId(**kwargs)[source]¶

Data object representing an AppRole SecretID.

is_valid(valid_for=0, uses=1)[source]¶

Checks whether the SecretID is valid for an amount of time and number of uses

valid_for: Check whether the SecretID will still be valid in the future. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to 0.
uses: Check whether the SecretID has at least this number of uses left. Defaults to 1.

payload()[source]¶: Return the payload to use for POST requests using this SecretID.

serialize_for_minion()[source]¶: Serialize all necessary data to recreate this object into a dict that can be sent to a minion.

class saltext.vault.utils.vault.leases.VaultWrappedResponse(creation_path, **kwargs)[source]¶

Data object representing a wrapped response.

serialize_for_minion()[source]¶: Serialize all necessary data to recreate this object into a dict that can be sent to a minion.

class saltext.vault.utils.vault.leases.LeaseStore(client, cache, expire_events=None)[source]¶

Caches leases and handles lease operations

get(ckey, valid_for=None, renew=True, renew_increment=None, renew_blur=2, revoke=None, check_server=False)[source]¶

Return cached lease or None.

ckey: Cache key the lease has been saved in.
valid_for: Ensure the returned lease is valid for at least this amount of time. This can be an integer, which will be interpreted as seconds, or a time string using the same format as Vault does: Suffix s for seconds, m for minutes, h for hours, d for days. Defaults to the minimum TTL that was set on the lease when creating it or 0.

Note

This does not take into account token validity, which active leases are bound to as well.
renew: If the lease is still valid, but not valid for valid_for, attempt to renew it. Defaults to true.
renew_increment: When renewing, request the lease to be valid for this amount of time from the current point of time onwards. If unset, will renew the lease by its default validity period and, if the renewed lease does not pass valid_for, will try to renew it by valid_for.
renew_blur: When checking validity after renewal, allow this amount of seconds in leeway to account for latency. Especially important when renew_increment is unset and the default validity period is less than valid_for. Defaults to 2.
revoke: If the lease is not valid for valid_for and renewals are disabled or impossible, attempt to have Vault revoke the lease after this amount of time and flush the cache. Defaults to the revocation delay that was set on the lease when creating it or 60s.
check_server: Check on the Vault server whether the lease is still active and was not revoked early. Defaults to false.

Added in version 1.1.0.

list()[source]¶: List all known cache keys of cached leases.

list_info(match='*')[source]¶

Added in version 1.1.0.

List cached leases.

match: Only list cached leases whose ckey matches this glob pattern. Defaults to *.

lookup(lease)[source]¶

Lookup lease meta information.

lease: A lease ID or VaultLease object to look up.

renew(lease, increment=None, raise_all_errors=True, _store=True)[source]¶

Renew a lease.

lease: A lease ID or VaultLease object to renew.
increment: Request the lease to be valid for this amount of time from the current point of time onwards. Can also be used to reduce the validity period. The server might not honor this increment. Can be an integer (seconds) or a time string like 1h. Optional.
raise_all_errors: When lease is a VaultLease and the renewal does not succeed, do not catch exceptions. If this is false, the lease will be returned unmodified if the exception does not indicate it is invalid (NotFound). Defaults to true.

renew_cached(match='*', increment=None)[source]¶

Renew cached leases.

match: Only renew cached leases whose ckey matches this glob pattern. Defaults to *.
increment: Request the leases to be valid for this amount of time from the current point of time onwards. Can also be used to reduce the validity period. The server might not honor this increment. Can be an integer (seconds) or a time string like 1h. Optional. If unset, defaults to the renewal increment that was set when creating the lease.

revoke(lease, delta=None)[source]¶

Revoke a lease. Will also remove the cached lease, if it has been requested from this LeaseStore before.

lease: A lease ID or VaultLease object to revoke.
delta: Time after which the lease should be requested to be revoked by Vault. Defaults to the revocation delay that was set when creating the lease or 60s.

revoke_cached(match='*', delta=None, flush_on_failure=True)[source]¶

Revoke cached leases.

match: Only revoke cached leases whose ckey matches this glob pattern. Defaults to *.
delta: Time after which the leases should be revoked by Vault. Defaults to the revocation delay that was set when creating the lease(s) or 60s.
flush_on_failure: If a revocation fails, remove the lease from cache anyways. Defaults to true.

store(ckey, lease)[source]¶

Cache a lease.

ckey: The cache key the lease should be saved in.
lease: A lease ID or VaultLease object to store.