1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
|
#!/usr/bin/env python
"""Database methods module."""
from hvac import utils
from hvac.api.vault_api_base import VaultApiBase
DEFAULT_MOUNT_POINT = "database"
class Database(VaultApiBase):
"""Database Secrets Engine (API).
Reference: https://www.vaultproject.io/api/secret/databases/index.html
"""
def configure(
self,
name,
plugin_name,
verify_connection=None,
allowed_roles=None,
root_rotation_statements=None,
mount_point=DEFAULT_MOUNT_POINT,
*args,
**kwargs
):
"""This endpoint configures the connection string used to communicate with the desired database.
In addition to the parameters listed here, each Database plugin has additional,
database plugin specific, parameters for this endpoint.
Please read the HTTP API for the plugin you'd wish to configure to see the full list of additional parameters.
:param name: Specifies the name for this database connection. This is specified as part of the URL.
:type name: str | unicode
:param plugin_name: Specifies the name of the plugin to use for this connection.
:type plugin_name: str | unicode
:param verify_connection: Specifies if the connection is verified during initial configuration.
:type verify_connection: bool
:param allowed_roles: List of the roles allowed to use this connection. Defaults to empty (no roles),
if contains a "*" any role can use this connection.
:type allowed_roles: list
:param root_rotation_statements: Specifies the database statements to be executed to rotate
the root user's credentials.
:type root_rotation_statements: list
:return: The response of the request.
:rtype: requests.Response
"""
params = {
"plugin_name": plugin_name,
}
params.update(
utils.remove_nones(
{
"allowed_roles": allowed_roles,
"verify_connection": verify_connection,
"root_rotation_statements": root_rotation_statements,
}
)
)
params.update(kwargs)
api_path = utils.format_url(
"/v1/{mount_point}/config/{name}", mount_point=mount_point, name=name
)
return self._adapter.post(
url=api_path,
json=params,
)
def rotate_root_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint is used to rotate the root superuser credentials stored for the database connection.
This user must have permissions to update its own password.
:param name: Specifies the name of the connection to rotate.
:type name: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/rotate-root/{name}", mount_point=mount_point, name=name
)
return self._adapter.post(
url=api_path,
)
def read_connection(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint returns the configuration settings for a connection.
:param name: Specifies the name of the connection to read.
:type name: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/config/{name}", mount_point=mount_point, name=name
)
return self._adapter.get(
url=api_path,
)
def list_connections(self, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint returns a list of available connections.
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point)
return self._adapter.list(
url=api_path,
)
def delete_connection(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint deletes a connection.
:param name: Specifies the name of the connection to delete.
:type name: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/config/{name}", mount_point=mount_point, name=name
)
return self._adapter.delete(
url=api_path,
)
def reset_connection(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint closes a connection and it's underlying plugin and
restarts it with the configuration stored in the barrier.
:param name: Specifies the name of the connection to reset.
:type name: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/reset/{name}", mount_point=mount_point, name=name
)
return self._adapter.post(
url=api_path,
)
def create_role(
self,
name,
db_name,
creation_statements,
default_ttl=None,
max_ttl=None,
revocation_statements=None,
rollback_statements=None,
renew_statements=None,
mount_point=DEFAULT_MOUNT_POINT,
):
"""This endpoint creates or updates a role definition.
:param name: Specifies the database role to manage.
:type name: str | unicode
:param db_name: The name of the database connection to use for this role.
:type db_name: str | unicode
:param creation_statements: Specifies the database statements executed to create and configure a user.
:type creation_statements: list
:param default_ttl: Specifies the TTL for the leases associated with this role.
:type default_ttl: int
:param max_ttl: Specifies the maximum TTL for the leases associated with this role.
:type max_ttl: int
:param revocation_statements: Specifies the database statements to be executed to revoke a user.
:type revocation_statements: list
:param rollback_statements: Specifies the database statements to be executed to rollback
a create operation in the event of an error.
:type rollback_statements: list
:param renew_statements: Specifies the database statements to be executed to renew a user.
:type renew_statements: list
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
params = {
"db_name": db_name,
"creation_statements": creation_statements,
}
params.update(
utils.remove_nones(
{
"default_ttl": default_ttl,
"max_ttl": max_ttl,
"revocation_statements": revocation_statements,
"rollback_statements": rollback_statements,
"renew_statements": renew_statements,
}
)
)
api_path = utils.format_url(
"/v1/{mount_point}/roles/{name}", mount_point=mount_point, name=name
)
return self._adapter.post(url=api_path, json=params)
def create_static_role(
self,
name,
db_name,
username,
rotation_statements,
rotation_period=86400,
mount_point=DEFAULT_MOUNT_POINT,
):
"""This endpoint creates or updates a static role definition.
:param name: Specifies the name of the role to create.
:type name: str | unicode
:param db_name: The name of the database connection to use for this role.
:type db_name: str | unicode
:param username: Specifies the database username that the Vault role `name` above corresponds to.
:type username: str | unicode
:param rotation_statements: Specifies the database statements to be executed to rotate the password for the configured database user.
Not every plugin type will support this functionality. See the plugin's API page for more information on support and
formatting for this parameter.
:type rotation_statements: list
:param rotation_period: Specifies the amount of time Vault should wait before rotating the password. The minimum is 5 seconds.
:type rotation_period: int
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
params = {
"db_name": db_name,
"username": username,
"rotation_statements": rotation_statements,
"rotation_period": rotation_period,
}
api_path = utils.format_url(
"/v1/{mount_point}/static-roles/{name}", mount_point=mount_point, name=name
)
return self._adapter.post(url=api_path, json=params)
def read_role(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint queries the role definition.
:param name: Specifies the name of the role to read.
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/roles/{name}", mount_point=mount_point, name=name
)
return self._adapter.get(
url=api_path,
)
def read_static_role(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint queries the static role definition.
:param name: Specifies the name of the role to read.
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/static-roles/{name}", mount_point=mount_point, name=name
)
return self._adapter.get(
url=api_path,
)
def list_roles(self, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint returns a list of available roles.
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{mount_point}/roles", mount_point=mount_point)
return self._adapter.list(
url=api_path,
)
def list_static_roles(self, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint returns a list of available static roles.
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/static-roles", mount_point=mount_point
)
return self._adapter.list(
url=api_path,
)
def delete_role(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint deletes the role definition.
:param name: Specifies the name of the role to delete.
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/roles/{name}", mount_point=mount_point, name=name
)
return self._adapter.delete(
url=api_path,
)
def delete_static_role(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint deletes the static role definition.
:param name: Specifies the name of the role to delete.
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/static-roles/{name}", mount_point=mount_point, name=name
)
return self._adapter.delete(
url=api_path,
)
def generate_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint generates a new set of dynamic credentials based on the named role.
:param name: Specifies the name of the role to create credentials against
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/creds/{name}", mount_point=mount_point, name=name
)
return self._adapter.get(
url=api_path,
)
def get_static_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint returns the current credentials based on the named static role.
:param name: Specifies the name of the role to create credentials against
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/static-creds/{name}", mount_point=mount_point, name=name
)
return self._adapter.get(
url=api_path,
)
def rotate_static_role_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint is used to rotate the Static Role credentials stored for a given role name.
While Static Roles are rotated automatically by Vault at configured rotation periods,
users can use this endpoint to manually trigger a rotation to change the stored password and
reset the TTL of the Static Role's password.
:param name: Specifies the name of the role to create credentials against
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url(
"/v1/{mount_point}/rotate-role/{name}", mount_point=mount_point, name=name
)
return self._adapter.post(
url=api_path,
)
|
