o |nhHm@s\dZddlZddlZddlmZmZddlmZddlm Z m Z m Z dZ GdddeZ dS) zGcp methods module.N) exceptionsutils) VaultApiBase)ALLOWED_SECRETS_TYPESSERVICE_ACCOUNT_KEY_ALGORITHMSSERVICE_ACCOUNT_KEY_TYPESgcpc@sTeZdZdZdddefddZefddZefddZddefd d Zefd d Z efd dZ efddZ efddZ efddZ efddZdddefddZdddefddZefddZefd d!Zefd"d#Zefd$d%Zefd&d'Zdddefd(d)Zddefd*d+Zefd,d-Zefd.d/Zefd0d1Zefd2d3Z   d6d4d5ZdS)7GcpzmGoogle Cloud Secrets Engine (API). Reference: https://www.vaultproject.io/api/secret/gcp/index.html NcCs0t|||d}tjd|d}|jj||dS)uConfigure shared information for the Gcp secrets engine. Supported methods: POST: /{mount_point}/config. Produces: 204 (empty body) :param credentials: JSON credentials (either file contents or '@path/to/file') See docs for alternative ways to pass in to this parameter, as well as the required permissions. :type credentials: str | unicode :param ttl: – Specifies default config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string. :type ttl: int | str :param max_ttl: Specifies the maximum config TTL for long-lived credentials (i.e. service account keys). Accepts integer number of seconds or Go duration format string.** :type max_ttl: int | str :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response ) credentialsttlmax_ttl/v1/{mount_point}/config mount_pointurljson)r remove_nones format_url_adapterpost)selfr r r rparamsapi_pathrG/usr/local/lib/python3.10/dist-packages/hvac/api/secrets_engines/gcp.py configuresz Gcp.configurecCtjd|d}|jj|dS)aRotate the GCP service account credentials used by Vault for this mount. A new key will be generated for the service account, replacing the internal value, and then a deletion of the old service account key is scheduled. Note that this does not create a new service account, only a new version of the service account key. Supported methods: POST: /{mount_point}/config/rotate-root. Produces: 200 application/json :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict z$/v1/{mount_point}/config/rotate-rootrrrrrrrrrrrrrotate_root_credentials:szGcp.rotate_root_credentialscCr)aRead the configured shared information for the Gcp secrets engine. Credentials will be omitted from returned data. Supported methods: GET: /{mount_point}/config. Produces: 200 application/json :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict r rrrrrgetr rrr read_configQs zGcp.read_configc Cs|dur|tvrd}t|j|dtdt|tr,t| dd}t d|||d}| t ||d t jd ||d } |jj| |d S) aCreate a roleset or update an existing roleset. See roleset docs for the GCP secrets backend to learn more about what happens when you create or update a roleset. Supported methods: POST: /{mount_point}/roleset/{name}. Produces: 204 (empty body) :param name: Name of the role. Cannot be updated. :type name: str | unicode :param project: Name of the GCP project that this roleset's service account will belong to. Cannot be updated. :type project: str | unicode :param bindings: Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string) :type bindings: str | unicode :param secret_type: Cannot be updated. :type secret_type: str | unicode :param token_scopes: List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only) :type token_scopes: list[str] :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response NSunsupported secret_type argument provided "{arg}", supported types: "{secret_type}",arg secret_type bindings: %s)projectbindings)r) token_scopes /v1/{mount_point}/roleset/{name}rnamerrrParamValidationErrorformatjoin isinstancedictrdumpsreplaceloggingdebugupdaterrrrr) rr2r-r.r)r/r error_msgrrrrrcreate_or_update_rolesetcs<!  zGcp.create_or_update_rolesetcCtjd||d}|jj|dS)aRotate the service account this roleset uses to generate secrets. This also replaces the key access_token roleset. This can be used to invalidate old secrets generated by the roleset or fix issues if a roleset's service account (and/or keys) was changed outside of Vault (i.e. through GCP APIs/cloud console). Supported methods: POST: /{mount_point}/roleset/{name}/rotate. Produces: 204 (empty body) :param name: Name of the role. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response z'/v1/{mount_point}/roleset/{name}/rotater1rrrr2rrrrrrotate_roleset_accountzGcp.rotate_roleset_accountcCr@)aRotate the service account key this roleset uses to generate access tokens. This does not recreate the roleset service account. Supported methods: POST: /{mount_point}/roleset/{name}/rotate-key. Produces: 204 (empty body) :param name: Name of the role. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response z+/v1/{mount_point}/roleset/{name}/rotate-keyr1rrrArrrrotate_roleset_account_keyzGcp.rotate_roleset_account_keycCr@)aRead a roleset. Supported methods: GET: /{mount_point}/roleset/{name}. Produces: 200 application/json :param name: Name of the role. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict r0r1rr"rArrr read_roleset zGcp.read_rolesetcCr)aDList configured rolesets. Supported methods: LIST: /{mount_point}/rolesets. Produces: 200 application/json :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict z/v1/{mount_point}/rolesetsrrrrrlistr rrr list_rolesets  zGcp.list_rolesetscCtjd||d}|jj|dS)aDelete an existing roleset by the given name. Supported methods: DELETE: /{mount_point}/roleset/{name} Produces: 200 application/json :param name: Name of the role. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response r0r2rrrrrdeleterArrrdelete_rolesetrGzGcp.delete_rolesetcCr@)anGenerate an OAuth2 token with the scopes defined on the roleset. This OAuth access token can be used in GCP API calls, e.g. curl -H "Authorization: Bearer $TOKEN" ... Supported methods: GET: /{mount_point}/token/{roleset}. Produces: 200 application/json :param roleset: Name of an roleset with secret type access_token to generate access_token under. :type roleset: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict z!/v1/{mount_point}/token/{roleset}rrolesetrr")rrRrrrrrgenerate_oauth2_access_tokenrEz Gcp.generate_oauth2_access_tokenKEY_ALG_RSA_2048TYPE_GOOGLE_CREDENTIALS_FILEPOSTcC tjd||d}|||||S)afGenerate Secret (IAM Service Account Creds): Service Account Key If using GET ('read'), the optional parameters will be set to their defaults. Use POST if you want to specify different values for these params. :param roleset: Name of an roleset with secret type service_account_key to generate key under. :type roleset: str | unicode :param key_algorithm: Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose other values (i.e. 1k), :type key_algorithm: str | unicode :param key_type: Private key type to generate. Defaults to JSON credentials file. :type key_type: str | unicode :param method: Supported methods: POST: /{mount_point}/key/{roleset}. Produces: 200 application/json GET: /{mount_point}/key/{roleset}. Produces: 200 application/json :type method: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict z/v1/{mount_point}/key/{roleset}rQrr_generate_service_account_key)rrR key_algorithmkey_typemethodrrrrrgenerate_service_account_key0z Gcp.generate_service_account_keyc Cs|dur|tvrd}t|j|dtdt|tr,t| dd}t d|d|i}| t |||d t jd ||d } |jj| |d S) a;Create a static account or update an existing static account. See static account docs for the GCP secrets backend to learn more about what happens when you create or update a static account. Supported methods: POST: /{mount_point}/static-account/{name}. Produces: 204 (empty body) :param name: Name of the static account. Cannot be updated. :type name: str | unicode :param service_account_email: Email of the GCP service account to manage. Cannot be updated. :type service_account_email: str | unicode :param bindings: Bindings configuration string (expects HCL or JSON format in raw or base64-encoded string) :type bindings: str | unicode :param secret_type: Type of secret generated for this static account. Accepted values: access_token, service_account_key. Cannot be updated. :type secret_type: str | unicode :param token_scopes: List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only) :type token_scopes: list[str] :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response Nr%r&r'r*r+r,service_account_email)r.r)r/'/v1/{mount_point}/static-account/{name}r1rr3) rr2r_r.r)r/rr>rrrrrcreate_or_update_static_accountWs<"  z#Gcp.create_or_update_static_accountcCr@)a!Rotate the service account key this static account uses to generate access tokens. This does not recreate the service account. Supported methods: POST: /{mount_point}/static-account/{name}/rotate-key. Produces: 204 (empty body) :param name: Name of the static account. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response z2/v1/{mount_point}/static-account/{name}/rotate-keyr1rrrArrrrotate_static_account_keyrEzGcp.rotate_static_account_keycCr@)aRead a static account. Supported methods: GET: /{mount_point}/static-account/{name}. Produces: 200 application/json :param name: Name of the static account. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict r`r1rr"rArrrread_static_accountrGzGcp.read_static_accountcCr)aRList configured static accounts. Supported methods: LIST: /{mount_point}/static-accounts. Produces: 200 application/json :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict z!/v1/{mount_point}/static-accountsrrrHr rrrlist_static_accountsrKzGcp.list_static_accountscCrL)aDelete an existing static account by the given name. Supported methods: DELETE: /{mount_point}/static-account/{name} Produces: 204 (empty body) :param name: Name of the static account. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response r`rMrrNrArrrdelete_static_accountrGzGcp.delete_static_accountcCr@)aGenerate an OAuth2 token with the scopes defined on the static account. This OAuth access token can be used in GCP API calls, e.g. curl -H "Authorization: Bearer $TOKEN" ... Supported methods: GET: /{mount_point}/static-account/{name}/token. Produces: 200 application/json :param name: Name of a static account with secret type access_token to generate access_token under. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict z-/v1/{mount_point}/static-account/{name}/tokenr1rr"rArrr+generate_static_account_oauth2_access_tokenrCz/Gcp.generate_static_account_oauth2_access_tokencCrW)aGenerate Secret (IAM Service Account Creds): Service Account Key If using GET ('read'), the optional parameters will be set to their defaults. Use POST if you want to specify different values for these params. :param name: Name of a static account with secret type service_account_key to generate key under. :type name: str | unicode :param key_algorithm: Key algorithm used to generate key. Defaults to 2k RSA key You probably should not choose other values (i.e. 1k), :type key_algorithm: str | unicode :param key_type: Private key type to generate. Defaults to JSON credentials file. :type key_type: str | unicode :param method: Supported methods: POST: /v1/{mount_point}/static-account/{name}/key. Produces: 200 application/json GET: /v1/{mount_point}/static-account/{name}/key. Produces: 200 application/json :type method: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict z+/v1/{mount_point}/static-account/{name}/keyr1rX)rr2rZr[r\rrrrr+generate_static_account_service_account_key r^z/Gcp.generate_static_account_service_account_keycCs>d|i}|t||dtjd||d}|jj||dS)aCreate an impersonated account or update an existing impersonated account. See impersonated account docs for the GCP secrets backend to learn more about what happens when you create or update an impersonated account. Supported methods: POST: /{mount_point}/impersonated-account/{name}. Produces: 204 (empty body) :param name: Name of the impersonated account. Cannot be updated. :type name: str | unicode :param service_account_email: Email of the GCP service account to manage. Cannot be updated. :type service_account_email: str | unicode :param token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account :type token_scopes: list[str] :param ttl: Lifetime of the token generated. Defaults to 1 hour and is limited to a maximum of 12 hours. Uses duration format strings. :type ttl: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response r_)r/r -/v1/{mount_point}/impersonated-account/{name}r1r)r=rrrrr)rr2r_r/r rrrrrr%create_or_update_impersonated_account3s$z)Gcp.create_or_update_impersonated_accountcCr@)aRead an impersonated account. Supported methods: GET: /{mount_point}/impersonated-account/{name}. Produces: 200 application/json :param name: Name of the impersonated account. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict rhr1rr"rArrrread_impersonated_accountfrGzGcp.read_impersonated_accountcCr)a^List configured impersonated accounts. Supported methods: LIST: /{mount_point}/impersonated-accounts. Produces: 200 application/json :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict z'/v1/{mount_point}/impersonated-accountsrrrHr rrrlist_impersonated_accounts|rKzGcp.list_impersonated_accountscCrL)aDelete an existing impersonated account by the given name. Supported methods: DELETE: /{mount_point}/impersonated-account/{name} Produces: 204 (empty body) :param name: Name of the impersonated account. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The response of the request. :rtype: requests.Response rhrMrrNrArrrdelete_impersonated_accountrGzGcp.delete_impersonated_accountcCr@)azGenerate an OAuth2 token with the scopes defined on the impersonated account. This OAuth access token can be used in GCP API calls, e.g. curl -H "Authorization: Bearer $TOKEN" ... Supported methods: GET: /{mount_point}/impersonated-account/{name}/token. Produces: 200 application/json :param name: Name of the impersonated account to generate an access token under. :type name: str | unicode :param mount_point: The "path" the method/backend was mounted on. :type mount_point: str | unicode :return: The JSON response of the request. :rtype: dict z3/v1/{mount_point}/impersonated-account/{name}/tokenr1rr"rArrr1generate_impersonated_account_oauth2_access_tokenrCz5Gcp.generate_impersonated_account_oauth2_access_tokenc Cs|dkr9|tvrd}t|j|dtd|tvr*d}t|j|dtd||d}|jj||d}|S|d krF|jj|d }|Sd j|d }t|) NrVzYunsupported key_algorithm argument provided "{arg}", supported algorithms: "{algorithms}"r&)r( algorithmszNunsupported key_type argument provided "{arg}", supported types: "{key_types}")r( key_types)rZr[rGETrzS"method" parameter provided invalid value; POST or GET allowed, "{method}" provided)r\) rrr4r5r6rrrr#) rrrZr[r\r>rresponse error_messagerrrrYsD  z!Gcp._generate_service_account_key)rTrUrV)__name__ __module__ __qualname____doc__DEFAULT_MOUNT_POINTrr!r$r?rBrDrFrJrPrSr]rarbrcrdrerfrgrirjrkrlrmrYrrrrr sd #  E      + E     + 3   r )rvrr;hvacrrhvac.api.vault_api_baserhvac.constants.gcprrrrwr rrrrs