1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
|
#!/usr/bin/env python
"""Support for "Auth"-related System Backend Methods."""
from hvac.api.system_backend.system_backend_mixin import SystemBackendMixin
from hvac.utils import validate_list_of_strings_param, list_to_comma_delimited
from hvac import exceptions, utils
class Auth(SystemBackendMixin):
def list_auth_methods(self):
"""List all enabled auth methods.
Supported methods:
GET: /sys/auth. Produces: 200 application/json
:return: The JSON response of the request.
:rtype: dict
"""
api_path = "/v1/sys/auth"
return self._adapter.get(
url=api_path,
)
def enable_auth_method(
self,
method_type,
description=None,
config=None,
plugin_name=None,
local=False,
path=None,
**kwargs
):
"""Enable a new auth method.
After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL.
This auth path will be nested under the auth prefix.
Supported methods:
POST: /sys/auth/{path}. Produces: 204 (empty body)
:param method_type: The name of the authentication method type, such as "github" or "token".
:type method_type: str | unicode
:param description: A human-friendly description of the auth method.
:type description: str | unicode
:param config: Configuration options for this auth method. These are the possible values:
* **default_lease_ttl**: The default lease duration, specified as a string duration like "5s" or "30m".
* **max_lease_ttl**: The maximum lease duration, specified as a string duration like "5s" or "30m".
* **audit_non_hmac_request_keys**: Comma-separated list of keys that will not be HMAC'd by audit devices in
the request data object.
* **audit_non_hmac_response_keys**: Comma-separated list of keys that will not be HMAC'd by audit devices in
the response data object.
* **listing_visibility**: Specifies whether to show this mount in the UI-specific listing endpoint.
* **passthrough_request_headers**: Comma-separated list of headers to whitelist and pass from the request to
the backend.
:type config: dict
:param plugin_name: The name of the auth plugin to use based from the name in the plugin catalog. Applies only
to plugin methods.
:type plugin_name: str | unicode
:param local: <Vault enterprise only> Specifies if the auth method is a local only. Local auth methods are not
replicated nor (if a secondary) removed by replication.
:type local: bool
:param path: The path to mount the method on. If not provided, defaults to the value of the "method_type"
argument.
:type path: str | unicode
:param kwargs: All dicts are accepted and passed to vault. See your specific secret engine for details on which
extra key-word arguments you might want to pass.
:type kwargs: dict
:return: The response of the request.
:rtype: requests.Response
"""
if path is None:
path = method_type
params = {
"type": method_type,
}
params.update(
utils.remove_nones(
{
"description": description,
"config": config,
"plugin_name": plugin_name,
"local": local,
}
)
)
params.update(kwargs)
api_path = utils.format_url("/v1/sys/auth/{path}", path=path)
return self._adapter.post(url=api_path, json=params)
def disable_auth_method(self, path):
"""Disable the auth method at the given auth path.
Supported methods:
DELETE: /sys/auth/{path}. Produces: 204 (empty body)
:param path: The path the method was mounted on. If not provided, defaults to the value of the "method_type"
argument.
:type path: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/sys/auth/{path}", path=path)
return self._adapter.delete(
url=api_path,
)
def read_auth_method_tuning(self, path):
"""Read the given auth path's configuration.
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without
sudo via sys/mounts/auth/[auth-path]/tune.
Supported methods:
GET: /sys/auth/{path}/tune. Produces: 200 application/json
:param path: The path the method was mounted on. If not provided, defaults to the value of the "method_type"
argument.
:type path: str | unicode
:return: The JSON response of the request.
:rtype: dict
"""
api_path = utils.format_url(
"/v1/sys/auth/{path}/tune",
path=path,
)
return self._adapter.get(
url=api_path,
)
def tune_auth_method(
self,
path,
default_lease_ttl=None,
max_lease_ttl=None,
description=None,
audit_non_hmac_request_keys=None,
audit_non_hmac_response_keys=None,
listing_visibility=None,
passthrough_request_headers=None,
**kwargs
):
"""Tune configuration parameters for a given auth path.
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without
sudo via sys/mounts/auth/[auth-path]/tune.
Supported methods:
POST: /sys/auth/{path}/tune. Produces: 204 (empty body)
:param path: The path the method was mounted on. If not provided, defaults to the value of the "method_type"
argument.
:type path: str | unicode
:param default_lease_ttl: Specifies the default time-to-live. If set on a specific auth path, this overrides the
global default.
:type default_lease_ttl: int
:param max_lease_ttl: The maximum time-to-live. If set on a specific auth path, this overrides the global
default.
:type max_lease_ttl: int
:param description: Specifies the description of the mount. This overrides the current stored value, if any.
:type description: str | unicode
:param audit_non_hmac_request_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the
request data object.
:type audit_non_hmac_request_keys: array
:param audit_non_hmac_response_keys: Specifies the list of keys that will not be HMAC'd by audit devices in the
response data object.
:type audit_non_hmac_response_keys: list
:param listing_visibility: Specifies whether to show this mount in the UI-specific listing endpoint. Valid
values are "unauth" or "".
:type listing_visibility: list
:param passthrough_request_headers: List of headers to whitelist and pass from the request to the backend.
:type passthrough_request_headers: list
:param kwargs: All dicts are accepted and passed to vault. See your specific secret engine for details on which
extra key-word arguments you might want to pass.
:type kwargs: dict
:return: The response of the request.
:rtype: requests.Response
"""
if listing_visibility is not None and listing_visibility not in ["unauth", ""]:
error_msg = 'invalid listing_visibility argument provided: "{arg}"; valid values: "unauth" or ""'.format(
arg=listing_visibility,
)
raise exceptions.ParamValidationError(error_msg)
# All parameters are optional for this method. Until/unless we include input validation, we simply loop over the
# parameters and add which parameters are set.
optional_parameters = {
"default_lease_ttl": {},
"max_lease_ttl": {},
"description": {},
"audit_non_hmac_request_keys": dict(comma_delimited_list=True),
"audit_non_hmac_response_keys": dict(comma_delimited_list=True),
"listing_visibility": {},
"passthrough_request_headers": dict(comma_delimited_list=True),
}
params = {}
for optional_parameter, parameter_specification in optional_parameters.items():
if locals().get(optional_parameter) is not None:
if parameter_specification.get("comma_delimited_list"):
argument = locals().get(optional_parameter)
validate_list_of_strings_param(optional_parameter, argument)
params[optional_parameter] = list_to_comma_delimited(argument)
else:
params[optional_parameter] = locals().get(optional_parameter)
params.update(kwargs)
api_path = utils.format_url("/v1/sys/auth/{path}/tune", path=path)
return self._adapter.post(
url=api_path,
json=params,
)
|
