Hello community,
here is the log from the commit of package python-hvac for openSUSE:Factory
checked in at 2020-07-17 20:51:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-hvac (Old)
and /work/SRC/openSUSE:Factory/.python-hvac.new.3592 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-hvac"
Fri Jul 17 20:51:12 2020 rev:3 rq:821437 version:0.10.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-hvac/python-hvac.changes 2020-06-10
00:46:24.994634300 +0200
+++ /work/SRC/openSUSE:Factory/.python-hvac.new.3592/python-hvac.changes
2020-07-17 20:51:55.444987507 +0200
@@ -1,0 +2,7 @@
+Fri Jul 17 07:27:39 UTC 2020 - Dirk Mueller <dmuel...@suse.com>
+
+- update to 0.10.4:
+ - Extract "renew_self_token" from "renew_token". GH-598
+ - Add convenience step_down sys backend method. GH-597
+
+-------------------------------------------------------------------
Old:
----
v0.10.3.tar.gz
New:
----
v0.10.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-hvac.spec ++++++
--- /var/tmp/diff_new_pack.DZLaDn/_old 2020-07-17 20:51:57.356989501 +0200
+++ /var/tmp/diff_new_pack.DZLaDn/_new 2020-07-17 20:51:57.364989509 +0200
@@ -18,7 +18,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-hvac
-Version: 0.10.3
+Version: 0.10.4
Release: 0
Summary: HashiCorp Vault API client
License: BSD-3-Clause
++++++ v0.10.3.tar.gz -> v0.10.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/.bumpversion.cfg
new/hvac-0.10.4/.bumpversion.cfg
--- old/hvac-0.10.3/.bumpversion.cfg 2020-05-24 21:19:23.000000000 +0200
+++ new/hvac-0.10.4/.bumpversion.cfg 2020-06-16 17:46:42.000000000 +0200
@@ -1,5 +1,5 @@
[bumpversion]
-current_version = 0.10.3
+current_version = 0.10.4
commit = True
tag = True
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/CHANGELOG.md new/hvac-0.10.4/CHANGELOG.md
--- old/hvac-0.10.3/CHANGELOG.md 2020-05-24 21:19:23.000000000 +0200
+++ new/hvac-0.10.4/CHANGELOG.md 2020-06-16 17:46:42.000000000 +0200
@@ -1,5 +1,18 @@
# Changelog
+## 0.10.4 (June 16th, 2020)
+
+### 🚀 Features
+
+- Extract "renew_self_token" from "renew_token". GH-598
+- Add convenience step_down sys backend method. GH-597
+
+### 📚 Documentation
+
+- Update AWS Auth Docs With Latest Usage . GH-599
+
+Thanks to @jeffwecan, @jm96441n and @pnijhara for their lovely contributions.
+
## 0.10.3 (May 24th, 2020)
### 🚀 Features
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/docs/conf.py new/hvac-0.10.4/docs/conf.py
--- old/hvac-0.10.3/docs/conf.py 2020-05-24 21:19:23.000000000 +0200
+++ new/hvac-0.10.4/docs/conf.py 2020-06-16 17:46:42.000000000 +0200
@@ -16,9 +16,9 @@
author = u'Ian Unruh, Jeffrey Hogan'
# The short X.Y version
-version = '0.10.3'
+version = '0.10.4'
# The full version, including alpha/beta/rc tags
-release = '0.10.3'
+release = '0.10.4'
# -- General configuration ---------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/docs/usage/auth_methods/aws.rst
new/hvac-0.10.4/docs/usage/auth_methods/aws.rst
--- old/hvac-0.10.3/docs/usage/auth_methods/aws.rst 2020-05-24
21:19:23.000000000 +0200
+++ new/hvac-0.10.4/docs/usage/auth_methods/aws.rst 2020-06-16
17:46:42.000000000 +0200
@@ -6,7 +6,7 @@
IAM Authentication
------------------
-Source reference: :py:meth:`hvac.v1.Client.auth_aws_iam`
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.iam_login`
Static Access Key Strings
`````````````````````````
@@ -19,9 +19,9 @@
client = hvac.Client()
- client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY')
- client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY',
'MY_AWS_SESSION_TOKEN')
- client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY',
role='MY_ROLE')
+ client.auth.aws.iam_login('MY_AWS_ACCESS_KEY_ID',
'MY_AWS_SECRET_ACCESS_KEY')
+ client.auth.aws.iam_login('MY_AWS_ACCESS_KEY_ID',
'MY_AWS_SECRET_ACCESS_KEY', 'MY_AWS_SESSION_TOKEN')
+ client.auth.aws.iam_login('MY_AWS_ACCESS_KEY_ID',
'MY_AWS_SECRET_ACCESS_KEY', role='MY_ROLE')
Boto3 Session
@@ -38,7 +38,7 @@
credentials = session.get_credentials()
client = hvac.Client()
- client.auth_aws_iam(credentials.access_key, credentials.secret_key,
credentials.token)
+ client.auth.aws.iam_login(credentials.access_key, credentials.secret_key,
credentials.token)
EC2 Metadata Service
````````````````````
@@ -76,7 +76,7 @@
credentials = load_aws_ec2_role_iam_credentials('some-instance-role')
client = hvac.Client()
- client.auth_aws_iam(credentials['AccessKeyId'],
credentials['SecretAccessKey'], credentials['Token'])
+ client.auth.aws.iam_login(credentials['AccessKeyId'],
credentials['SecretAccessKey'], credentials['Token'])
Lambda and/or EC2 Instance
``````````````````````````
@@ -99,12 +99,12 @@
access_key_id, secret_access_key =
infer_credentials_from_iam_role('some-role')
client = hvac.Client()
- client.auth_aws_iam(access_key_id, secret_access_key)
+ client.auth.aws.iam_login(access_key_id, secret_access_key, session_token)
Caveats For Non-Default AWS Regions
```````````````````````````````````
-I.e., calling :py:meth:`hvac.v1.Client.auth_aws_iam` with a `region` argument
other than its default of "**us-east-1**". For additional background / context
on this matter, see the comments at `hvac#251`_ and/or `vault-ruby#161`_.
+I.e., calling :py:meth:`hvac.api.auth_methods.Aws.iam_login` with a `region`
argument other than its default of "**us-east-1**". For additional background /
context on this matter, see the comments at `hvac#251`_ and/or
`vault-ruby#161`_.
The following code snippets are for authenticating hosts in the **us-west-1**
region:
@@ -123,7 +123,7 @@
# One-time setup of the credentials / configuration for the Vault server
to use.
# Note the explicit region subdomain bit included in the endpoint argument.
- client.create_vault_ec2_client_configuration(
+ client.auth.aws.configure(
access_key='SOME_ACCESS_KEY_FOR_VAULTS_USE',
secret_key='SOME_ACCESS_KEY_FOR_VAULTS_USE',
endpoint='https://sts.us-west-1.amazonaws.com',
@@ -131,21 +131,21 @@
session = boto3.Session()
creds = session.get_credentials().get_frozen_credentials()
- client.auth_aws_iam(
- creds.access_key,
- creds.secret_key,
- creds.token,
- region="us-west-1",
+ client.auth.aws.iam_login((
+ access_key=creds.access_key,
+ secret_key=creds.secret_key,
+ session_token=creds.token,
header_value=VAULT_HEADER_VALUE,
role='some-role,
use_token=True,
+ region='us-west-1',
)
EC2 Authentication
------------------
-Source reference: :py:meth:`hvac.v1.Client.auth_ec2`
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.ec2_login`
EC2 Metadata Service
````````````````````
@@ -246,7 +246,7 @@
logger.debug('Attempting to retrieve information from disk.')
nonce = load_aws_ec2_nonce_from_disk()
- auth_ec2_resp = vault_client.auth_ec2(
+ auth_ec2_resp = vault_client.auth.aws.ec2_login(
pkcs7=pkcs7,
nonce=nonce,
role=role,
@@ -300,5 +300,219 @@
authenticated_vault_client = get_vault_client()
+Methods
+-------
+
+Configure
+`````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.configure`
+
+
+Read Config
+```````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.read_config`
+
+
+Delete Config
+`````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.delete_config`
+
+
+Configure Identity Integration
+``````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.configure_identity_integration`
+
+
+Read Identity Integration
+`````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.read_identity_integration`
+
+
+Create Certificate Configuration
+````````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.create_certificate_configuration`
+
+
+Read Certificate Configuration
+``````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.read_certificate_configuration`
+
+
+Delete Certificate Configuration
+````````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.delete_certificate_configuration`
+
+
+List Certificate Configurations
+```````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.list_certificate_configurations`
+
+
+Create Sts Role
+```````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.create_sts_role`
+
+
+Read Sts Role
+`````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.read_sts_role`
+
+
+List Sts Roles
+``````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.list_sts_roles`
+
+
+Delete Sts Role
+```````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.delete_sts_role`
+
+
+Configure Identity Whitelist Tidy
+`````````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.configure_identity_whitelist_tidy`
+
+
+Read Identity Whitelist Tidy
+````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.read_identity_whitelist_tidy`
+
+
+Delete Identity Whitelist Tidy
+``````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.delete_identity_whitelist_tidy`
+
+
+Configure Role Tag Blacklist Tidy
+`````````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.configure_role_tag_blacklist_tidy`
+
+
+Read Role Tag Blacklist Tidy
+````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.read_role_tag_blacklist_tidy`
+
+
+Delete Role Tag Blacklist Tidy
+``````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.delete_role_tag_blacklist_tidy`
+
+
+Create Role
+```````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.create_role`
+
+
+Read Role
+`````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.read_role`
+
+
+List Roles
+``````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.list_roles`
+
+
+Delete Role
+```````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.delete_role`
+
+
+Create Role Tags
+````````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.create_role_tags`
+
+
+IAM Login
+`````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.iam_login`
+
+
+EC2 Login
+`````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.ec2_login`
+
+
+Place Role Tags In Blacklist
+````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.place_role_tags_in_blacklist`
+
+
+Read Role Tag Blacklist
+```````````````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.read_role_tag_blacklist`
+
+
+List Blacklist Tags
+```````````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.list_blacklist_tags`
+
+
+Delete Blacklist Tags
+`````````````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.delete_blacklist_tags`
+
+
+Tidy Blacklist Tags
+```````````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.tidy_blacklist_tags`
+
+
+Read Identity Whitelist
+```````````````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.read_identity_whitelist`
+
+
+List Identity Whitelist
+```````````````````````
+
+Source reference: :py:meth:`hvac.api.auth_methods.Aws.list_identity_whitelist`
+
+
+Delete Identity Whitelist Entries
+`````````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.delete_identity_whitelist_entries`
+
+
+Tidy Identity Whitelist Entries
+```````````````````````````````
+
+Source reference:
:py:meth:`hvac.api.auth_methods.Aws.tidy_identity_whitelist_entries`
+
+
+
.. _hvac#251: https://github.com/hvac/hvac/issues/251
.. _vault-ruby#161:
https://github.com/hashicorp/vault-ruby/pull/161#issuecomment-355723269
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/docs/usage/system_backend/leader.rst
new/hvac-0.10.4/docs/usage/system_backend/leader.rst
--- old/hvac-0.10.3/docs/usage/system_backend/leader.rst 2020-05-24
21:19:23.000000000 +0200
+++ new/hvac-0.10.4/docs/usage/system_backend/leader.rst 2020-06-16
17:46:42.000000000 +0200
@@ -28,3 +28,19 @@
.. testoutput:: sys_leader
HA status is: False
+
+Step Down
+---------
+
+.. automethod:: hvac.api.system_backend.Leader.step_down
+ :noindex:
+
+Examples
+````````
+
+.. code:: python
+
+ import hvac
+
+ client = hvac.Client(url='https://127.0.0.1:8200')
+ client.sys.step_down()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/hvac/api/auth_methods/aws.py
new/hvac-0.10.4/hvac/api/auth_methods/aws.py
--- old/hvac-0.10.3/hvac/api/auth_methods/aws.py 2020-05-24
21:19:23.000000000 +0200
+++ new/hvac-0.10.4/hvac/api/auth_methods/aws.py 2020-06-16
17:46:42.000000000 +0200
@@ -21,8 +21,7 @@
def configure(self, max_retries=None, access_key=None, secret_key=None,
endpoint=None, iam_endpoint=None,
sts_endpoint=None, iam_server_id_header_value=None,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Configures the credentials required to perform API calls to AWS as
well as custom endpoints to talk to AWS
- API
+ """Configure the credentials required to perform API calls to AWS as
well as custom endpoints to talk to AWS API.
The instance identity document fetched from the PKCS#7 signature will
provide the EC2 instance ID.
The credentials configured using this endpoint will be used to query
the status of the instances via
@@ -60,7 +59,7 @@
against different types of replay attacks, for example a signed
request sent to a dev server being resent
to a production server
:type iam_server_id_header_value: str | unicode
- :param mount_point: The "path" the aws auth method was mounted on
+ :param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
@@ -82,12 +81,12 @@
)
def read_config(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Returns the previously configured AWS access credentials
+ """Read previously configured AWS access credentials.
Supported methods:
GET: /auth/{mount_point}/config. Produces: 200 application/json
- :param mount_point: The "path" the aws auth method was mounted on
+ :param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str | unicode
:return: The data key from the JSON response of the request.
:rtype: dict
@@ -99,12 +98,12 @@
return response.get('data')
def delete_config(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Deletes the previously configured AWS access credentials
+ """Delete previously configured AWS access credentials,
Supported methods:
DELETE: /auth/{mount_point}/config Produces: 204 (empty body)
- :param mount_point: The "path" the aws auth method was mounted on
+ :param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
@@ -116,8 +115,9 @@
def configure_identity_integration(self, iam_alias=None, ec2_alias=None,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Configures the way that Vault interacts with the Identity store.
The default (as of Vault 1.0.3)
- is role_id for both values
+ """Configure the way that Vault interacts with the Identity store.
+
+ The default (as of Vault 1.0.3) is role_id for both values.
Supported methods:
POST: /auth/{mount_point}/config/identity Produces: 204 (empty
body)
@@ -136,7 +136,7 @@
used. When instance_id is selected, the instance identifier is
used as the identity alias name. When
image_id is selected, AMI ID of the instance is used as the
identity alias name
:type ec2_alias: str | unicode
- :param mount_point: The "path" the aws auth method was mounted on
+ :param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str | unicode
:return: The response of the request
:rtype: request.Response
@@ -164,12 +164,12 @@
)
def read_identity_integration(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Returns the previously configured identity integration configuration
+ """Return previously configured identity integration configuration.
Supported methods:
GET: /auth/{mount_point}/config/identity. Produces: 200
application/json
- :param mount_point: The "path" the aws auth method was mounted on
+ :param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str | unicode
:return: The data key from the JSON response of the request.
:rtype: dict
@@ -181,7 +181,7 @@
return response.get('data')
def create_certificate_configuration(self, cert_name, aws_public_cert,
document_type=None, mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Registers an AWS public key to be used to verify the instance
identity documents
+ """Register AWS public key to be used to verify the instance identity
documents.
While the PKCS#7 signature of the identity documents have DSA digest,
the identity signature will have RSA
digest, and hence the public keys for each type varies respectively.
Indicate the type of the public key using
@@ -197,7 +197,7 @@
:param document_type: Takes the value of either "pkcs7" or "identity",
indicating the type of document which can be
verified using the given certificate
:type document_type: string | unicode
- :param mount_point: The "path" the aws auth method was mounted on
+ :param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str | unicode
:return: The response of the request
:rtype: request.Response
@@ -218,14 +218,14 @@
)
def read_certificate_configuration(self, cert_name,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Returns the previously configured AWS public key
+ """Return previously configured AWS public key.
Supported methods:
GET: /v1/auth/{mount_point}/config/certificate/:cert_name
Produces: 200 application/json
:param cert_name: Name of the certificate
:type cert_name: str | unicode
- :param mount_point: The "path" the aws auth method was mounted on
+ :param mount_point: The path the AWS auth method was mounted on.
:return: The data key from the JSON response of the request.
:rtype: dict
"""
@@ -236,14 +236,14 @@
return response.get('data')
def delete_certificate_configuration(self, cert_name,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Removes the previously configured AWS public key
+ """Remove previously configured AWS public key.
Supported methods:
DELETE: /auth/{mount_point}/config/certificate/:cert_name
Produces: 204 (empty body)
:param cert_name: Name of the certificate
:type cert_name: str | unicode
- :param mount_point: The "path" the aws auth method was mounted on
+ :param mount_point: The path the AWS auth method was mounted on.
:type mount_point: str | unicode
:return: The response of the request
:rtype: request.Response
@@ -254,13 +254,15 @@
)
def list_certificate_configurations(self,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Lists all the AWS public certificates that are registered with the
method
+ """List AWS public certificates that are registered with the method.
Supported methods
LIST: /auth/{mount_point}/config/certificates Produces: 200
application/json
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/config/certificates',
mount_point=mount_point)
response = self._adapter.list(
@@ -269,7 +271,7 @@
return response.get('data')
def create_sts_role(self, account_id, sts_role,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """ Allows the explicit association of STS roles to satellite AWS
accounts (i.e. those which are not the
+ """Allow the explicit association of STS roles to satellite AWS
accounts (i.e. those which are not the
account in which the Vault server is running.)
Vault will use credentials obtained by assuming these STS roles
when validating IAM principals or EC2
@@ -278,10 +280,16 @@
Supported methods:
POST: /v1/auth/{mount_point}/config/sts/:account_id Produces:
204 (empty body)
- :param account_id:
- :param sts_role:
- :param mount_point:
- :return:
+ :param account_id: AWS account ID to be associated with STS role.
+ If set, Vault will use assumed credentials to verify any login
attempts from EC2 instances in this account.
+ :type account_id: str
+ :param sts_role: AWS ARN for STS role to be assumed when interacting
with the account specified.
+ The Vault server must have permissions to assume this role.
+ :type sts_role: str
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/config/sts/{1}',
mount_point, account_id)
params = {
@@ -294,11 +302,14 @@
)
def read_sts_role(self, account_id, mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Returns the previously configured STS role
+ """Return previously configured STS role.
- :param account_id:
- :param mount_point:
- :return:
+ :param account_id: AWS account ID that has been previously associated
with STS role.
+ :type account_id: str
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/config/sts/{1}',
mount_point, account_id)
response = self._adapter.get(
@@ -307,10 +318,12 @@
return response.get('data')
def list_sts_roles(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Lists all the AWS Account IDs for which an STS role is registered
+ """List AWS Account IDs for which an STS role is registered.
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{mount_point}/config/sts',
mount_point=mount_point)
response = self._adapter.list(
@@ -319,11 +332,13 @@
return response.get('data')
def delete_sts_role(self, account_id, mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Deletes a previously configured AWS account/STS role association
+ """Delete a previously configured AWS account/STS role association.
:param account_id:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/config/sts/{1}',
mount_point, account_id)
return self._adapter.delete(
@@ -332,12 +347,17 @@
def configure_identity_whitelist_tidy(self, safety_buffer=None,
disable_periodic_tidy=None,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Configures the periodic tidying operation of the whitelisted
identity entries
+ """Configure the periodic tidying operation of the whitelisted
identity entries.
- :param safety_buffer:
- :param disable_periodic_tidy:
- :param mount_point:
- :return:
+ :param safety_buffer: The amount of extra time that must have passed
beyond the roletag expiration, before
+ it is removed from the method storage.
+ :type safety_buffer: str
+ :param disable_periodic_tidy: If set to 'true', disables the periodic
tidying of the identity-whitelist/<instance_id> entries.
+ :type disable_periodic_tidy: bool
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/config/tidy/identity-whitelist',
mount_point=mount_point)
params = utils.remove_nones({
@@ -350,10 +370,12 @@
)
def read_identity_whitelist_tidy(self,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Returns the previously configured periodic whitelist tidying
settings
+ """Read previously configured periodic whitelist tidying settings.
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/config/tidy/identity-whitelist',
mount_point=mount_point)
response = self._adapter.get(
@@ -362,10 +384,12 @@
return response.get('data')
def delete_identity_whitelist_tidy(self,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Deletes the previously configured periodic whitelist tidying
settings
+ """Delete previously configured periodic whitelist tidying settings.
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/config/tidy/identity-whitelist',
mount_point=mount_point)
return self._adapter.delete(
@@ -374,12 +398,17 @@
def configure_role_tag_blacklist_tidy(self, safety_buffer=None,
disable_periodic_tidy=None,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Configures the periodic tidying operation of the blacklisted role
tag entries
+ """Configure the periodic tidying operation of the blacklisted role
tag entries.
- :param safety_buffer:
- :param disable_periodic_tidy:
- :param mount_point:
- :return:
+ :param safety_buffer: The amount of extra time that must have passed
beyond the roletag expiration, before
+ it is removed from the method storage.
+ :type safety_buffer: str
+ :param disable_periodic_tidy: If set to 'true', disables the periodic
tidying of the roletag-blacklist/<instance_id> entries.
+ :type disable_periodic_tidy: bool
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/config/tidy/roletag-blacklist',
mount_point=mount_point)
params = utils.remove_nones({
@@ -392,10 +421,12 @@
)
def read_role_tag_blacklist_tidy(self,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Returns the previously configured periodic blacklist tidying
settings
+ """Read previously configured periodic blacklist tidying settings.
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/config/tidy/roletag-blacklist',
mount_point=mount_point)
response = self._adapter.get(
@@ -404,10 +435,12 @@
return response.get('data')
def delete_role_tag_blacklist_tidy(self,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Deletes the previously configured periodic blacklist tidying
settings
+ """Delete previously configured periodic blacklist tidying settings.
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/config/tidy/roletag-blacklist',
mount_point=mount_point)
return self._adapter.delete(
@@ -421,15 +454,7 @@
resolve_aws_unique_ids=None, ttl=None, max_ttl=None,
period=None, policies=None,
allow_instance_migration=None,
disallow_reauthentication=None,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Registers a role in the method. Only those instances or principals
which are using the role registered
- using this endpoint, will be able to perform the login operation
-
- Constraints can be specified on the role, that are applied on the
instances or principals attempting to
- login. At least one constraint must be specified on the role. The
available constraints you can choose
- are dependent on the auth_type of the role and, if the auth_type
is iam, then whether inferencing is
- enabled. A role will not let you configure a constraint if it is
not checked by the auth_type and
- inferencing configuration of that role. For the constraints which
accept a list of values, the
- authenticating instance/principal must match any one value in the
list in order to satisfy that constraint
+ """Register a role in the method.
:param role:
:param auth_type:
@@ -452,8 +477,10 @@
:param policies:
:param allow_instance_migration:
:param disallow_reauthentication:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/role/{1}', mount_point, role)
params = {
@@ -492,8 +519,10 @@
"""Returns the previously registered role configuration
:param role:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/role/{1}', mount_point, role)
response = self._adapter.get(
@@ -504,8 +533,10 @@
def list_roles(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Lists all the roles that are registered with the method
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{mount_point}/roles',
mount_point=mount_point)
response = self._adapter.list(
@@ -517,8 +548,10 @@
"""Deletes the previously registered role
:param role:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/role/{1}', mount_point, role)
return self._adapter.delete(
@@ -547,8 +580,10 @@
:param instance_id:
:param allow_instance_migration:
:param disallow_reauthentication:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/role/{1}/tag', mount_point,
role)
@@ -575,8 +610,15 @@
role with which the login is being performed. With the ec2 auth
method, as an alternative to pkcs7
signature, the identity document along with its RSA digest can be
supplied to this endpoint
- :param mount_point:
- :return:
+ :param role: Name of the role against which the login is being
attempted.
+ :type role: str
+ :param use_token: if True, uses the token in the response received
from the auth request to set the "token"
+ attribute on the the :py:meth:`hvac.adapters.Adapter` instance
under the _adapater Client attribute.
+ :type use_token: bool
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{mount_point}/login',
mount_point=mount_point)
@@ -601,12 +643,21 @@
)
def ec2_login(self, pkcs7, nonce=None, role=None, use_token=True,
mount_point=AWS_DEFAULT_MOUNT_POINT):
- """Fetch a token
- :param pkcs7:
- :param nonce:
- :param role:
- :param use_token:
- :param mount_point:
+ """Retrieve a Vault token using an AWS authentication method mount's
EC2 role.
+
+ :param pkcs7: PKCS7 signature of the identity document with all
newline characters removed.
+ :type pkcs7: str
+ :param nonce: The nonce to be used for subsequent login requests.
+ :type nonce: str
+ :param role: Name of the role against which the login is being
attempted.
+ :type role: str
+ :param use_token: if True, uses the token in the response received
from the auth request to set the "token"
+ attribute on the the :py:meth:`hvac.adapters.Adapter` instance
under the _adapater Client attribute.
+ :type use_token: bool
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{mount_point}/login',
mount_point=mount_point)
params = {
@@ -631,8 +682,10 @@
does not invalidate the already issued token
:param role_tag:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/roletag-blacklist/{1}',
mount_point, role_tag)
return self._adapter.post(
@@ -643,8 +696,10 @@
"""Returns the blacklist entry of a previously blacklisted role tag
:param role_tag:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/roletag-blacklist/{1}',
mount_point, role_tag)
response = self._adapter.get(
@@ -655,8 +710,10 @@
def list_blacklist_tags(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Lists all the role tags that are blacklisted
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/roletag-blacklist',
mount_point=mount_point)
response = self._adapter.list(
@@ -668,8 +725,10 @@
"""Deletes a blacklisted role tag
:param role_tag:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/roletag-blacklist/{1}',
mount_point, role_tag)
return self._adapter.delete(
@@ -680,8 +739,10 @@
"""Cleans up the entries in the blacklist based on expiration time on
the entry and safety_buffer
:param saftey_buffer:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/tidy/roletag-blacklist',
mount_point=mount_point)
params = {
@@ -696,8 +757,10 @@
"""Returns an entry in the whitelist. An entry will be created/updated
by every successful login
:param instance_id:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/identity-whitelist/{1}',
mount_point, instance_id)
response = self._adapter.get(
@@ -708,8 +771,10 @@
def list_identity_whitelist(self, mount_point=AWS_DEFAULT_MOUNT_POINT):
"""Lists all the instance IDs that are in the whitelist of successful
logins
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/identity-whitelist',
mount_point=mount_point)
response = self._adapter.list(
@@ -721,8 +786,10 @@
"""Deletes a cache of the successful login from an instance
:param instance_id:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path = utils.format_url('/v1/auth/{0}/identity-whitelist/{1}',
mount_point, instance_id)
return self._adapter.delete(
@@ -733,8 +800,10 @@
"""Cleans up the entries in the whitelist based on expiration time and
safety_buffer
:param saftey_buffer:
- :param mount_point:
- :return:
+ :param mount_point: The path the AWS auth method was mounted on.
+ :type mount_point: str
+ :return: The response of the request.
+ :rtype: requests.Response
"""
api_path =
utils.format_url('/v1/auth/{mount_point}/tidy/identity-whitelist',
mount_point=mount_point)
params = {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/hvac/api/auth_methods/azure.py
new/hvac-0.10.4/hvac/api/auth_methods/azure.py
--- old/hvac-0.10.3/hvac/api/auth_methods/azure.py 2020-05-24
21:19:23.000000000 +0200
+++ new/hvac-0.10.4/hvac/api/auth_methods/azure.py 2020-06-16
17:46:42.000000000 +0200
@@ -145,7 +145,7 @@
if policies is not None:
if not (
isinstance(policies, str)
- or (isinstance(policies, list) and all([isinstance(p, str) for
p in policies]))
+ or (isinstance(policies, list) and all(isinstance(p, str) for
p in policies))
):
error_msg = 'unsupported policies argument provided "{arg}"
({arg_type}), required type: str or List[str]"'
raise exceptions.ParamValidationError(error_msg.format(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/hvac/api/auth_methods/github.py
new/hvac-0.10.4/hvac/api/auth_methods/github.py
--- old/hvac-0.10.3/hvac/api/auth_methods/github.py 2020-05-24
21:19:23.000000000 +0200
+++ new/hvac-0.10.4/hvac/api/auth_methods/github.py 2020-06-16
17:46:42.000000000 +0200
@@ -93,7 +93,7 @@
# First, perform parameter validation.
if policies is None:
policies = []
- if not isinstance(policies, list) or not all([isinstance(p, str) for p
in policies]):
+ if not isinstance(policies, list) or not all(isinstance(p, str) for p
in policies):
error_msg = 'unsupported policies argument provided "{arg}"
({arg_type}), required type: List[str]"'
raise exceptions.ParamValidationError(error_msg.format(
arg=policies,
@@ -153,7 +153,7 @@
# First, perform parameter validation.
if policies is None:
policies = []
- if not isinstance(policies, list) or not all([isinstance(p, str) for p
in policies]):
+ if not isinstance(policies, list) or not all(isinstance(p, str) for p
in policies):
error_msg = 'unsupported policies argument provided "{arg}"
({arg_type}), required type: List[str]"'
raise exceptions.ParamValidationError(error_msg.format(
arg=policies,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/hvac/api/secrets_engines/pki.py
new/hvac-0.10.4/hvac/api/secrets_engines/pki.py
--- old/hvac-0.10.3/hvac/api/secrets_engines/pki.py 2020-05-24
21:19:23.000000000 +0200
+++ new/hvac-0.10.4/hvac/api/secrets_engines/pki.py 2020-06-16
17:46:42.000000000 +0200
@@ -133,7 +133,7 @@
url=api_path,
)
- def set_crl_configuration(self, expiry=None, disable=None,
extra_params={}, mount_point=DEFAULT_MOUNT_POINT):
+ def set_crl_configuration(self, expiry=None, disable=None,
extra_params=None, mount_point=DEFAULT_MOUNT_POINT):
"""Set CRL Configuration.
Setting the duration for which the generated CRL should be marked
valid.
@@ -148,6 +148,8 @@
:return: The JSON response of the request.
:rtype: requests.Response
"""
+ if extra_params is None:
+ extra_params = {}
api_path = utils.format_url('/v1/{mount_point}/config/crl',
mount_point=mount_point)
params = extra_params
params.update(
@@ -240,7 +242,7 @@
url=api_path,
)
- def generate_intermediate(self, type, common_name, extra_params={},
mount_point=DEFAULT_MOUNT_POINT):
+ def generate_intermediate(self, type, common_name, extra_params=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Generate Intermediate.
Generates a new private key and a CSR for signing.
@@ -259,6 +261,8 @@
:return: The JSON response of the request.
:rtype: requests.Response
"""
+ if extra_params is None:
+ extra_params = {}
api_path = utils.format_url(
'/v1/{mount_point}/intermediate/generate/{type}',
mount_point=mount_point,
@@ -301,7 +305,7 @@
json=params,
)
- def generate_certificate(self, name, common_name, extra_params={},
mount_point=DEFAULT_MOUNT_POINT):
+ def generate_certificate(self, name, common_name, extra_params=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Generate Certificate.
Generates a new set of credentials (private key and certificate) based
on the role named in the endpoint.
@@ -320,6 +324,8 @@
:return: The JSON response of the request.
:rtype: requests.Response
"""
+ if extra_params is None:
+ extra_params = {}
api_path = utils.format_url(
'/v1/{mount_point}/issue/{name}',
mount_point=mount_point,
@@ -359,7 +365,7 @@
json=params,
)
- def create_or_update_role(self, name, extra_params={},
mount_point=DEFAULT_MOUNT_POINT):
+ def create_or_update_role(self, name, extra_params=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Create/Update Role.
Creates or updates the role definition.
@@ -376,6 +382,8 @@
:return: The JSON response of the request.
:rname: requests.Response
"""
+ if extra_params is None:
+ extra_params = {}
api_path = utils.format_url(
'/v1/{mount_point}/roles/{name}',
mount_point=mount_point,
@@ -457,7 +465,7 @@
url=api_path,
)
- def generate_root(self, type, common_name, extra_params={},
mount_point=DEFAULT_MOUNT_POINT):
+ def generate_root(self, type, common_name, extra_params=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Generate Root.
Generates a new self-signed CA certificate and private key.
@@ -476,6 +484,8 @@
:return: The JSON response of the request.
:rtype: requests.Response
"""
+ if extra_params is None:
+ extra_params = {}
api_path = utils.format_url(
'/v1/{mount_point}/root/generate/{type}',
mount_point=mount_point,
@@ -512,7 +522,7 @@
url=api_path,
)
- def sign_intermediate(self, csr, common_name, extra_params={},
mount_point=DEFAULT_MOUNT_POINT):
+ def sign_intermediate(self, csr, common_name, extra_params=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Sign Intermediate.
Issue a certificate with appropriate values for acting as an
intermediate CA.
@@ -531,6 +541,8 @@
:return: The JSON response of the request.
:rtype: requests.Response
"""
+ if extra_params is None:
+ extra_params = {}
api_path =
utils.format_url('/v1/{mount_point}/root/sign-intermediate',
mount_point=mount_point)
params = extra_params
@@ -567,7 +579,7 @@
json=params,
)
- def sign_certificate(self, name, csr, common_name, extra_params={},
mount_point=DEFAULT_MOUNT_POINT):
+ def sign_certificate(self, name, csr, common_name, extra_params=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Sign Certificate.
Signs a new certificate based upon the provided CSR and the supplied
parameters.
@@ -588,6 +600,8 @@
:return: The JSON response of the request.
:rtype: requests.Response
"""
+ if extra_params is None:
+ extra_params = {}
api_path = utils.format_url(
'/v1/{mount_point}/sign/{name}',
mount_point=mount_point,
@@ -603,7 +617,7 @@
json=params,
)
- def sign_verbatim(self, csr, name=False, extra_params={},
mount_point=DEFAULT_MOUNT_POINT):
+ def sign_verbatim(self, csr, name=False, extra_params=None,
mount_point=DEFAULT_MOUNT_POINT):
"""Sign Verbatim.
Signs a new certificate based upon the provided CSR.
@@ -622,6 +636,8 @@
:return: The JSON response of the request.
:rtype: requests.Response
"""
+ if extra_params is None:
+ extra_params = {}
url_to_transform = '/v1/{mount_point}/sign-verbatim'
if name:
url_to_transform = url_to_transform + '/{name}'
@@ -640,7 +656,7 @@
json=params,
)
- def tidy(self, extra_params={}, mount_point=DEFAULT_MOUNT_POINT):
+ def tidy(self, extra_params=None, mount_point=DEFAULT_MOUNT_POINT):
"""Tidy.
Allows tidying up the storage backend and/or CRL by removing
certificates that have
@@ -656,6 +672,8 @@
:return: The JSON response of the request.
:rtype: requests.Response
"""
+ if extra_params is None:
+ extra_params = {}
api_path = utils.format_url(
'/v1/{mount_point}/tidy',
mount_point=mount_point,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/hvac/api/system_backend/auth.py
new/hvac-0.10.4/hvac/api/system_backend/auth.py
--- old/hvac-0.10.3/hvac/api/system_backend/auth.py 2020-05-24
21:19:23.000000000 +0200
+++ new/hvac-0.10.4/hvac/api/system_backend/auth.py 2020-06-16
17:46:42.000000000 +0200
@@ -172,12 +172,12 @@
# All parameters are optional for this method. Until/unless we include
input validation, we simply loop over the
# parameters and add which parameters are set.
optional_parameters = {
- 'default_lease_ttl': dict(),
- 'max_lease_ttl': dict(),
- 'description': dict(),
+ 'default_lease_ttl': {},
+ 'max_lease_ttl': {},
+ 'description': {},
'audit_non_hmac_request_keys': dict(comma_delimited_list=True),
'audit_non_hmac_response_keys': dict(comma_delimited_list=True),
- 'listing_visibility': dict(),
+ 'listing_visibility': {},
'passthrough_request_headers': dict(comma_delimited_list=True),
}
params = {}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/hvac/api/system_backend/leader.py
new/hvac-0.10.4/hvac/api/system_backend/leader.py
--- old/hvac-0.10.3/hvac/api/system_backend/leader.py 2020-05-24
21:19:23.000000000 +0200
+++ new/hvac-0.10.4/hvac/api/system_backend/leader.py 2020-06-16
17:46:42.000000000 +0200
@@ -16,3 +16,20 @@
return self._adapter.get(
url=api_path,
)
+
+ def step_down(self):
+ """Force the node to give up active status.
+
+ If the node does not have active status, this endpoint does nothing.
+ Note that the node will sleep for ten seconds before attempting to grab
+ the active lock again, but if no standby nodes grab the active lock in
+ the interim, the same node may become the active node again. Requires a
+ token with root policy or sudo capability on the path.
+
+ :return: The JSON response of the request.
+ :rtype: dict
+ """
+ api_path = '/v1/sys/step-down'
+ return self._adapter.get(
+ url=api_path,
+ )
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/hvac/utils.py
new/hvac-0.10.4/hvac/utils.py
--- old/hvac-0.10.3/hvac/utils.py 2020-05-24 21:19:23.000000000 +0200
+++ new/hvac-0.10.4/hvac/utils.py 2020-06-16 17:46:42.000000000 +0200
@@ -208,7 +208,7 @@
param_argument = []
if isinstance(param_argument, str):
param_argument = param_argument.split(',')
- if not isinstance(param_argument, list) or not all([isinstance(p, str) for
p in param_argument]):
+ if not isinstance(param_argument, list) or not all(isinstance(p, str) for
p in param_argument):
error_msg = 'unsupported {param} argument provided "{arg}"
({arg_type}), required type: List[str]'
raise exceptions.ParamValidationError(error_msg.format(
param=param_name,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/hvac/v1/__init__.py
new/hvac-0.10.4/hvac/v1/__init__.py
--- old/hvac-0.10.3/hvac/v1/__init__.py 2020-05-24 21:19:23.000000000 +0200
+++ new/hvac-0.10.4/hvac/v1/__init__.py 2020-06-16 17:46:42.000000000 +0200
@@ -6,6 +6,7 @@
from hvac import aws_utils, exceptions, adapters, utils, api
from hvac.constants.client import DEPRECATED_PROPERTIES, DEFAULT_URL
+from hvac.utils import generate_property_deprecation_message
try:
import hcl
@@ -433,6 +434,8 @@
:type wrap_ttl:
:return:
:rtype:
+
+ For calls expecting to hit the renew-self endpoint please use the
"renew_self_token" method instead
"""
params = {
'increment': increment,
@@ -442,7 +445,25 @@
params['token'] = token
return self._adapter.post('/v1/auth/token/renew', json=params,
wrap_ttl=wrap_ttl)
else:
- return self._adapter.post('/v1/auth/token/renew-self',
json=params, wrap_ttl=wrap_ttl)
+ generate_property_deprecation_message("1.0.0", "renew_token()
without token param", "renew_self_token() without token param",
"renew_self_token")
+ return self.renew_self_token(increment=increment,
wrap_ttl=wrap_ttl)
+
+ def renew_self_token(self, increment=None, wrap_ttl=None):
+ """
+ POST /auth/token/renew-self
+
+ :param increment:
+ :type increment:
+ :param wrap_ttl:
+ :type wrap_ttl:
+ :return:
+ :rtype:
+ """
+ params = {
+ 'increment': increment,
+ }
+
+ return self._adapter.post('/v1/auth/token/renew-self', json=params,
wrap_ttl=wrap_ttl)
def create_token_role(self, role,
allowed_policies=None, disallowed_policies=None,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/hvac-0.10.3/setup.py new/hvac-0.10.4/setup.py
--- old/hvac-0.10.3/setup.py 2020-05-24 21:19:23.000000000 +0200
+++ new/hvac-0.10.4/setup.py 2020-06-16 17:46:42.000000000 +0200
@@ -10,7 +10,7 @@
setup(
name='hvac',
- version='0.10.3',
+ version='0.10.4',
description='HashiCorp Vault API client',
long_description=load_long_description(),
long_description_content_type="text/markdown",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/hvac-0.10.3/tests/integration_tests/v1/test_integration.py
new/hvac-0.10.4/tests/integration_tests/v1/test_integration.py
--- old/hvac-0.10.3/tests/integration_tests/v1/test_integration.py
2020-05-24 21:19:23.000000000 +0200
+++ new/hvac-0.10.4/tests/integration_tests/v1/test_integration.py
2020-06-16 17:46:42.000000000 +0200
@@ -75,6 +75,29 @@
except exceptions.InvalidRequest:
assert True
+ def test_self_auth_token_manipulation(self):
+ result = self.client.create_token(lease='1h', renewable=True)
+ assert result['auth']['client_token']
+ self.client.token = result['auth']['client_token']
+
+ lookup = self.client.lookup_token(result['auth']['client_token'])
+ assert result['auth']['client_token'] == lookup['data']['id']
+
+ renew = self.client.renew_self_token()
+ assert result['auth']['client_token'] == renew['auth']['client_token']
+
+ self.client.revoke_token(lookup['data']['id'])
+
+ try:
+ lookup = self.client.lookup_token(result['auth']['client_token'])
+ assert False
+ except exceptions.Forbidden:
+ assert True
+ except exceptions.InvalidPath:
+ assert True
+ except exceptions.InvalidRequest:
+ assert True
+
def test_userpass_auth(self):
if 'userpass/' in self.client.list_auth_backends()['data']:
self.client.disable_auth_backend('userpass')
