o |nh 4@sVdZddlZddlmZmZddlmZddlmZdZ e e Z GdddeZ dS) zAzure auth method module.N) exceptionsutils) VaultApiBase)VALID_ENVIRONMENTSazurec @seZdZdZdddefddZefddZefddZdddddddddddef d d Zefd d Z efd dZ efddZ dddddefddZ dS)AzurezcAzure Auth Method (API). Reference: https://www.vaultproject.io/api/auth/azure/index.html Nc Csn|dur|tvrd}t|j|dtd||d}|t|||dtjd|d} |j j | |d S) aConfigure the credentials required for the plugin to perform API calls to Azure. These credentials will be used to query the metadata about the virtual machine. Supported methods: POST: /auth/{mount_point}/config. Produces: 204 (empty body) :param tenant_id: The tenant id for the Azure Active Directory organization. :type tenant_id: str | unicode :param resource: The configured URL for the application registered in Azure Active Directory. :type resource: str | unicode :param environment: The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. :type environment: str | unicode :param client_id: The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. :type client_id: str | unicode :param client_secret: The client secret for credentials to query the Azure APIs. :type client_secret: str | unicode :param mount_point: The "path" the azure auth method was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response NzXinvalid environment argument provided: "{arg}"; supported environments: "{environments}",)arg environments) tenant_idresource) environment client_id client_secret/v1/auth/{mount_point}/config mount_pointurljson) rrParamValidationErrorformatjoinupdater remove_nones format_url_adapterpost) selfr r r rrr error_msgparamsapi_pathr"F/usr/local/lib/python3.10/dist-packages/hvac/api/auth_methods/azure.py configures4! zAzure.configurecCs&tjd|d}|jj|d}|dS)aReturn the previously configured config, including credentials. Supported methods: GET: /auth/{mount_point}/config. Produces: 200 application/json :param mount_point: The "path" the azure auth method was mounted on. :type mount_point: str | unicode :return: The data key from the JSON response of the request. :rtype: dict rrrdatarrrgetrrr!responser"r"r# read_configQs  zAzure.read_configcCstjd|d}|jj|dS)auDelete the previously configured Azure config and credentials. Supported methods: DELETE: /auth/{mount_point}/config. Produces: 204 (empty body) :param mount_point: The "path" the azure auth method was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response rrr%rrrdelete)rrr!r"r"r# delete_configds  zAzure.delete_configcCs|dur%t|ts%t|trtdd|Ds%d}t|j|t|dt |||||||| | | | d }tj d| |d}|j j ||d S) aCreate a role in the method. Role types have specific entities that can perform login operations against this endpoint. Constraints specific to the role type must be set on the role. These are applied to the authenticated entities attempting to login. Supported methods: POST: /auth/{mount_point}/role/{name}. Produces: 204 (empty body) :param name: Name of the role. :type name: str | unicode :param policies: Policies to be set on tokens issued using this role. :type policies: str | list :param num_uses: Number of uses to set on a token produced by this role. :type num_uses: int :param ttl: The TTL period of tokens issued using this role in seconds. :type ttl: str | unicode :param max_ttl: The maximum allowed lifetime of tokens issued in seconds using this role. :type max_ttl: str | unicode :param period: If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this parameter. :type period: str | unicode :param bound_service_principal_ids: The list of Service Principal IDs that login is restricted to. :type bound_service_principal_ids: list :param bound_group_ids: The list of group ids that login is restricted to. :type bound_group_ids: list :param bound_locations: The list of locations that login is restricted to. :type bound_locations: list :param bound_subscription_ids: The list of subscription IDs that login is restricted to. :type bound_subscription_ids: list :param bound_resource_groups: The list of resource groups that login is restricted to. :type bound_resource_groups: list :param bound_scale_sets: The list of scale set names that the login is restricted to. :type bound_scale_sets: list :param mount_point: The "path" the azure auth method was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response Ncss|]}t|tVqdS)N) isinstancestr).0pr"r"r# sz$Azure.create_role..z]unsupported policies argument provided "{arg}" ({arg_type}), required type: str or List[str]")r arg_type) policiesttlmax_ttlperiodbound_service_principal_idsbound_group_idsbound_locationsbound_subscription_idsbound_resource_groupsbound_scale_setsnum_uses"/v1/auth/{mount_point}/role/{name}rnamer) r/r0listallrrrtyperrrrr)rrBr5r6r7r8r9r:r;r<r=r>r?rrr r!r"r"r# create_rolevsF8zAzure.create_rolecCs(tjd||d}|jj|d}|dS)aRead the previously registered role configuration. Supported methods: GET: /auth/{mount_point}/role/{name}. Produces: 200 application/json :param name: Name of the role. :type name: str | unicode :param mount_point: The "path" the azure auth method was mounted on. :type mount_point: str | unicode :return: The "data" key from the JSON response of the request. :rtype: dict r@rAr%r&r')rrBrr!r*r"r"r# read_roles zAzure.read_rolecCs&tjd|d}|jj|d}|dS)a{List all the roles that are registered with the plugin. Supported methods: LIST: /auth/{mount_point}/role. Produces: 200 application/json :param mount_point: The "path" the azure auth method was mounted on. :type mount_point: str | unicode :return: The "data" key from the JSON response of the request. :rtype: dict z/v1/auth/{mount_point}/rolerr%r&)rrrrCr(r)r"r"r# list_roless   zAzure.list_rolescCstjd||d}|jj|dS)aDelete the previously registered role. Supported methods: DELETE: /auth/{mount_point}/role/{name}. Produces: 204 (empty body) :param name: Name of the role. :type name: str | unicode :param mount_point: The "path" the azure auth method was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response r@rAr%r,)rrBrr!r"r"r# delete_roleszAzure.delete_roleTc CsD||d} | t||||dtjd|d} |jj| || dS)atFetch a token. This endpoint takes a signed JSON Web Token (JWT) and a role name for some entity. It verifies the JWT signature to authenticate that entity and then authorizes the entity for the given role. Supported methods: POST: /auth/{mount_point}/login. Produces: 200 application/json :param role: Name of the role against which the login is being attempted. :type role: str | unicode :param jwt: Signed JSON Web Token (JWT) from Azure MSI. :type jwt: str | unicode :param subscription_id: The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata. :type subscription_id: str | unicode :param resource_group_name: The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata. :type resource_group_name: str | unicode :param vm_name: The virtual machine name for the machine that generated the MSI token. This information can be obtained through instance metadata. If vmss_name is provided, this value is ignored. :type vm_name: str | unicode :param vmss_name: The virtual machine scale set name for the machine that generated the MSI token. This information can be obtained through instance metadata. :type vmss_name: str | unicode :param use_token: if True, uses the token in the response received from the auth request to set the "token" attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapter Client attribute. :type use_token: bool :param mount_point: The "path" the azure auth method was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict )rolejwt)subscription_idresource_group_namevm_name vmss_namez/v1/auth/{mount_point}/loginr)r use_tokenr)rrrrrlogin) rrJrKrLrMrNrOrPrr r!r"r"r#rQs(- z Azure.login) __name__ __module__ __qualname____doc__DEFAULT_MOUNT_POINTr$r+r.rFrGrHrIrQr"r"r"r#r s@  >  _  r)rUlogginghvacrrhvac.api.vault_api_baserhvac.constants.azurerrV getLoggerrRloggerrr"r"r"r#s