o |nhS@s4dZddlmZddlmZdZGdddeZdS)z!SSH vault secrets backend module.)utils) VaultApiBasesshc@s6eZdZdZddefddZdefddZddddddddddddddddddd d dd d d d dd defd d Zdefd dZefddZ defddZ efddZ defddZ efddZ dddefddZdefddZefddZdddd d!efd"d#Zefd$d%Zefd&d'Zddddd(dd d ef d)d*Zd S)+Sshz]SSH Secrets Engine (API). Reference: https://www.vaultproject.io/api-docs/secret/ssh cCs(d|i}tjd||d}|jj||dS)a@This endpoint updates a named key. This method uses deprecated functionality that was removed in Vault 1.13.0. :param name: Specifies the name of the key to create. :type name: str | unicode :param key: Specifies an SSH private key with appropriate privileges on remote hosts. :type key: str | unicode :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response key/v1/{mount_point}/keys/{name} mount_pointnameurljsonr format_url_adapterpost)selfr rr paramsapi_pathrG/usr/local/lib/python3.10/dist-packages/hvac/api/secrets_engines/ssh.pycreate_or_update_keyszSsh.create_or_update_keycCtjd||d}|jj|dS)aThis endpoint deletes a named key. This method uses deprecated functionality that was removed in Vault 1.13.0. :param name: Specifies the name of the key to delete. :type name: str | unicode :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response rr r rrrdeleterr r rrrr delete_key3 zSsh.delete_keyiNFc Csid|d|d|d|d|d|d|d| d | d | d | d | d |d|d|d|d|||||||||||d }tjd||d}|jj||dS)aThis endpoint creates or updates a named role. :param name: Specifies the name of the role to create. :type name: str | unicode :param key: Specifies the name of the registered key in Vault. :type key: str | unicode :param admin_user: Specifies the admin user at remote host. :type admin_user: str | unicode :param default_user: Specifies the default username for which a credential will be generated. :type default_user: str | unicode :param cidr_list: Specifies a comma separated list of CIDR blocks for which the role is applicable for. :type cidr_list: str | unicode :param exclude_cidr_list: Specifies a comma-separated list of CIDR blocks. :type exclude_cidr_list: str | unicode :param port: Specifies the port number for SSH connection. :type port: int :param key_type: Specifies the type of credentials generated by this role. :type key_type: str | unicode :param key_bits: Specifies the length of the RSA dynamic key in bits. (default: 1024) :type key_bits: int :param install_script: Specifies the script used to install and uninstall public keys in the target machine. :type install_script: str | unicode :param allowed_users: If only certain usernames are to be allowed, then this list enforces it. :type allowed_users: str | unicode :param allowed_users_template: If set, allowed_users can be specified using identity template policies. (default: false) :type allowed_users_template: bool :param allowed_domains: The list of domains for which a client can request a host certificate. :type allowed_domains: str | unicode :param key_option_specs: Specifies a comma separated option specification which will be prefixed to RSA keys in the remote host's authorized_keys file. :type key_option_specs: str | unicode :param ttl: Specifies the Time To Live value provided as a string duration with time suffix. :type ttl: string | unicode :param max_ttl: Specifies the Time To Live value provided as a string duration with time suffix. :type max_ttl: str | unicode :param allowed_critical_options: Specifies a comma-separated list of critical options that certificates can have when signed. :type allowed_critical_options: str | unicode :param allowed_extensions: Specifies a comma-separated list of extensions that certificates can have when signed. :type allowed_extensions: str | unicode :param default_critical_options: Specifies a map of critical options certificates should have if none are provided when signing. :type default_critical_options: dict :param default_extensions: Specifies a map of extensions certificates should have if none are provided when signing. :type default_extensions: dict :param allow_user_certificates: Specifies if certificates are allowed to be signed for use as a 'user'. (default: False) :type allow_user_certificates: bool :param allow_host_certificates: Specifies if certificates are allowed to be signed for use as a 'host'. (default: False) :type allow_host_certificates: bool :param allow_bare_domains: Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains, e.g. "example.com". (default: False) :type allow_bare_domains: bool :param allow_subdomains: Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains. (default: False) :type allow_subdomains: bool :param allow_user_key_ids: Specifies if users can override the key ID for a signed certificate with the "key_id" field. (default: False) :type allow_user_key_ids: bool :param key_id_format: When supplied, this value specifies a custom format for the key id of a signed certificate. :type key_id_format: str | unicode :param allowed_user_key_lengths: Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type. :type allowed_user_key_lengths: dict :param algorithm_signer: Algorithm to sign keys with. (default: "default") :type algorithm_signer: str | unicode :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response r admin_user default_user cidr_listexclude_cidr_listportkey_typekey_bitsinstall_script allowed_usersallowed_users_templateallowed_domainskey_option_specsttlmax_ttlallowed_critical_optionsallowed_extensions) default_critical_optionsdefault_extensionsallow_user_certificatesallow_host_certificatesallow_bare_domainsallow_subdomainsallow_user_key_ids key_id_formatallowed_user_key_lengthsalgorithm_signer/v1/{mount_point}/roles/{name}r r r) rr rr!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0r1r2r3r4r5r6r7r8r9r:r rrrrr create_roleIsdl     zSsh.create_rolecCr)auThis endpoint queries a named role. :param name: Specifies the name of the role to read. :type name: str | unicode :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response r;r rrrrgetrrrr read_rolerz Ssh.read_rolecCtjd|d}|jj|dS)aUThis endpoint returns a list of available roles. Only the role names are returned, not any values. :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response z/v1/{mount_point}/rolesr r)rrrlistrr rrrr list_roless zSsh.list_rolescCr)aMThis endpoint deletes a named role. :param name: :type name: str | unicode :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response r;r rrrrrr delete_roles  zSsh.delete_rolecCr@)a3This endpoint returns the list of configured zero-address roles. :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response $/v1/{mount_point}/config/zeroaddressrArr=rCrrrlist_zeroaddress_roles  zSsh.list_zeroaddress_rolescC&d|i}tjd|d}|jj||dS)aThis endpoint configures zero-address roles. :param roles: Specifies a string containing comma separated list of role names which allows credentials to be requested for any IP address. :type roles: str | unicode :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response rolesrFrAr r)rrJr rrrrrconfigure_zeroaddress_roles"zSsh.configure_zeroaddress_rolescCr@)a.This endpoint deletes the zero-address roles configuration. :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response rFrArrrCrrrdelete_zeroaddress_role>s zSsh.delete_zeroaddress_rolecCs*||d}tjd||d}|jj||dS)aThis endpoint creates credentials for a specific username and IP with the parameters defined in the given role. :param name: Specifies the name of the role to create credentials against. This is part of the request URL. :type name: str | unicode :param username: Specifies the username on the remote host. :type username: str | unicode :param ip: Specifies the IP of the remote host. :type ip: str | unicode :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response )usernameipz/v1/{mount_point}/creds/{name}r r r)rr rNrOr rrrrrgenerate_ssh_credentialsNszSsh.generate_ssh_credentialscCrI)aThis endpoint lists all of the roles with which the given IP is associated. :param ip: Specifies the IP of the remote host. :type ip: str | unicode :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response rOz/v1/{mount_point}/lookuprAr r)rrOr rrrrrlist_roles_by_iporLzSsh.list_roles_by_ipcCrI)aThis endpoint verifies if the given OTP is valid. This is an unauthenticated endpoint. :param otp: Specifies the One-Time-Key that needs to be validated. :type otp: str | unicode :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response otpzv1/{mount_point}/verifyrAr r)rrRr rrrrrverify_ssh_otprLzSsh.verify_ssh_otpTzssh-rsarc Cs.|||||d}tjd|d}|jj||dS)aEThis endpoint allows submitting the CA information for the secrets engine via an SSH key pair. :param private_key: Specifies the private key part the SSH CA key pair. :type private_key: str | unicode :param public_key: Specifies the public key part of the SSH CA key pair. :type public_key: str | unicode :param generate_signing_key: Specifies if Vault should generate the signing key pair internally. (default: True) :type generate_signing_key: bool :param key_type: Specifies the desired key type for the generated SSH CA key when generate_signing_key is set to true. (default: ssh-rsa) :type key_type: str | unicode :param key_bits: Specifies the desired key bits for the generated SSH CA key when generate_signing_key is set to true. (default: 0) :type key_bits: int :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response ) private_key public_keygenerate_signing_keyr&r'/v1/{mount_point}/config/carAr r) rrTrUrVr&r'r rrrrrsubmit_ca_informationszSsh.submit_ca_informationcCr@)a@This endpoint deletes the CA information for the backend via an SSH key pair. :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response rWrArrrCrrrdelete_ca_informationrHzSsh.delete_ca_informationcCr@)a+This endpoint reads the configured/generated public key. :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response rWrArr=rCrrrread_public_keys  zSsh.read_public_keyuserc Cs4|||||||d} tjd| |d} |jj| | dS)aThis endpoint signs an SSH public key based on the supplied parameters, subject to the restrictions contained in the role named in the endpoint. :param name: Specifies the name of the role to sign. This is part of the request URL. :type name: str | unicode :param public_key: Specifies the SSH public key that should be signed. :type public_key: str | unicode :param ttl: Specifies the Requested Time To Live. :type ttl: str | unicode :param valid_principals: Specifies valid principals that the certificate should be signed for. :type valid_principals: str | unicode :param cert_type: Specifies the type of certificate to be created; either "user" or "host". (default: user) :type cert_type: str | unicode :param key_id: Specifies the key id that the created certificate should have. :type key_id: str | unicode :param critical_options: Specifies a map of the critical options that the certificate should be signed for. :type critical_options: dict :param extensions: Specifies a map of the extensions that the certificate should be signed for. :type extensions: dict :param mount_point: Specifies the place where the secrets engine will be accessible (default: ssh). :type mount_point: str | unicode :return: The JSON response of the request :rtype: requests.Response )rUr-valid_principals cert_typekey_idcritical_options extensionsz/v1/{mount_point}/sign/{name}r r r) rr rUr-r\r]r^r_r`r rrrrr sign_ssh_keys% zSsh.sign_ssh_key)__name__ __module__ __qualname____doc__DEFAULT_MOUNT_POINTrrr<r?rDrErGrKrMrPrQrSrXrYrZrarrrrr s #       #   .  rN)rehvacrhvac.api.vault_api_baserrfrrrrrs