hvac / hvac Goto Github PK

View Code? Open in Web Editor NEW

1.2K 25.0 375.0 2.59 MB

:lock: Python 3.X client for HashiCorp Vault

Home Page: https://python-hvac.org

License: Apache License 2.0

Python 99.80% Shell 0.06% Makefile 0.07% HCL 0.07%

python vault hashicorp client api hacktoberfest

hvac's Introduction

hvac

HashiCorp Vault API client for Python 3.x

Tested against the latest release, HEAD ref, and 3 previous minor versions (counting back from the latest release) of Vault. Current official support covers Vault v1.4.7 or later.

NOTE: Support for EOL Python versions will be dropped at the end of 2022. Starting in 2023, hvac will track with the CPython EOL dates.

Installation

pip install hvac

If you would like to be able to return parsed HCL data as a Python dict for methods that support it:

pip install "hvac[parser]"

Documentation

Additional documentation for this module available at: hvac.readthedocs.io:

hvac's People

Contributors

Stargazers

Watchers

Forkers

mattrobenolt davidwittman joshgre dustinrb hobbeswalsh yongtin mwielgoszewski 3van tomac mtougeron frodopwns mpappas86 ewdurbin devopstiger ipedrazas cburroughs cetex mattgiles kartikeyap han ahlinc willusher stevenmanton zendesk caiotomazelli brocoli insequent nicr9 pombredanne gregdurham marcoslopes usererror1 ianwestcott max-k solarisyan aseppala cypherhat bearrito andrewrothstein bfeeser curratore henriquegemignani dpedu2 freimer ntt-data-cloud-transformation gaell vardias alectroemel tkinz27 reddit mattjbarlow mnsh crypto89 intgr sakurasound chrisovergaauw cswindle sworley genx7up msg4sunny mracter expediadotcom ciscom31 djlarsu kurtpayne gslabdev lparth cariaso visheyra lhdumittan rabraham rowhit jnaulty kevin-bowers jangsutsr stuart-c iustinam jstenback ltm josephlim75 autocracy bestor dboedijono shdobxr crmulliner guessryansdevving vijayrc alexpeits c3st7n rvandegrift edolinina jeffwecan masteinhauser lvicentesanchez vidhixa joseph-stratoscale kineticit ubeek agrrh jvanbrunschot-coolblue

hvac's Issues

client.write() returns 204

In vault 0.4.0 I am getting 204 return codes from client.write() instead of 200.

Because of this check: https://github.com/ianunruh/hvac/blob/master/hvac/v1/__init__.py#L35

None is returned for both success and failure.

Support round-robin discovery.

When specifying a vault URL, it should be possible to request round-robin discovery if the first returned vault is still sealed.

i.e.

http://vault.example.org might resolve to several addresses 10.11.11.2,10.11.11.4,10.11.11.5,10.11.11.6,10.11.11.7.

Currently if the client gets handed 1 address by DNS and it happens to be sealed, an exception is thrown. It would be convenient if the client would reliably try the other resolved addresses before failing to see if an unsealed node is available.

Failed to parse JSON input: invalid character 'U' looking for beginning of value

Any ideas what I'm missing?

Ubuntu 14.04
Python 2.7.6
hvac==0.2.16
requests==2.8.1
pyhcl==0.2.1

Vault v0.6.1

client = hvac.Client(url="http://127.0.0.1:8200", token=self.root_token)
if client.is_authenticated():
rv = client.write('secret/foo', value='bar')

throwing "hvac.exceptions.InvalidRequest" with error: "u'Failed to parse JSON input: invalid character 'U' looking for beginning of value'"

Add authentication methods

create_token does not support 'period'

Creating periodic tokens (introduced for token_create in hashicorp/vault#1725) require period parameter to be sent.

As of v0.2.16, v1.Client.create_token does not accept this argument.

EC2 Authorization Support

I was just looking at the changelog for the 0.6.0 release of Vault and noticed the new EC2 auth backend. Is there already work happening to add support for that to hvac? If not I have already started doing some work on that front. I am in the process of introducing Vault into my infrastructure and the EC2 backend will greatly simplify my life.

If there is interest in collaborating on what the end result should look like I am happy to open a PR with what I have so far so that further development can happen more in the open.

Feature request: Automate cubbyhole dance

Hashicorp has a blogpost detailing how to use cubbyhole backend for authentication with temporary tokens:

https://www.hashicorp.com/blog/vault-cubbyhole-principles.html

While that could be implemented on application side, it'd be great if hvac would have methods that could automate it. The API could be something simple like client.auth_cubbyhole('TEMP_TOKEN') which would then fetch the permanent token. I think that would suffice for both the push and pull models described in the blog.

hvac.auth_approle does not store the token

Currently hvac.auth_approle doesn't call self.auth and instead calls the self._post directly. Due to this, the token in response is not stored internally.

Support new parameters on Vault aws-ec2 role creation

Vault's aws-ec2 backend supports multiple login constraints. HVAC knows about the bound_ami_id constraint originally introduced with the backend in Vault 0.6.0, but others have since been added:

bound_account_id (0.6.1)
bound_iam_role_arn (0.6.1)
bound_iam_instance_profile_arn (0.6.2)

HVAC's create_ec2_role() method needs to be updated to support the new constraints.

create approle secret ID with wrap-ttl

Looks like there is no way to create approle secret ID with wrap-ttl (create_role_secret_id)?

If yes, could you point out how it can be done?

Thanks!

Client.is_authenticated() throws Exception when sealed

Hi,

I'm not really sure if this is a defect or the expected functionality. When I attempt to check whether my client is properly authenticated (to verify my Token) before unsealing the Vault, I get an exception related to the Vault being sealed.

If I call is_authenticated() after unsealing my Vault, it works correctly.

Feel free to close this if it is expected behavior.

Thanks!

Write fails when path contains backslash chars

Hi,

the following script fails:

import hvac
import os

client = hvac.Client(
    url=os.environ.get('VAULT_ADDR'),
    token=os.environ.get('VAULT_TOKEN'),
    verify=os.environ.get('VAULT_SKIP_VERIFY', False)
)

client.write(
    'keyring/http://some.url/sub/entry',
    foo='bar'
)

Output:

Traceback (most recent call last):
  File "hvac_test.py", line 12, in <module>
    foo='bar'
  File "/home/pschmitt/.local/share/virtualenvs/vault-keyring-import/lib/python2.7/site-packages/hvac/v1/__init__.py", line 45, in write
    response = self._put('/v1/{0}'.format(path), json=kwargs)
  File "/home/pschmitt/.local/share/virtualenvs/vault-keyring-import/lib/python2.7/site-packages/hvac/v1/__init__.py", line 576, in _put
    return self.__request('put', url, **kwargs)
  File "/home/pschmitt/.local/share/virtualenvs/vault-keyring-import/lib/python2.7/site-packages/hvac/v1/__init__.py", line 606, in __request
    raise exceptions.InvalidRequest(errors=errors)
hvac.exceptions.InvalidRequest: missing data fields

I don't see why this fails since the request kwargs are correctly set to {'json': {'foo': 'bar'}}

Any ideas?

EDIT:

vault write "keyring/http://some.url/sub/entry" notes=okay                                                                                                 
Success! Data written to: keyring/http://some.url/sub/entr

This works just fine

Align client connection address default with vault?

Vault CLI has https as the default. Should hvac do the same?

Separate Vault backend mocking into new project

hvac spins up a local vault instance for test integration. This would be super helpful for external projects that depend on vault. Can we move this code into a new repository? For my own usecase, something like nosetest-hvac would be most helpful (containing nosetest fixtures), but I'd be excited about any testing framework integration.

travis builds failing from missing envvar

Seems the travis builds are a bit flakey due to the settings / retrieval of the vault token env var.

Might I suggest potentially considering reading from the $HOME/.vault-token file within your tests and setting the var? Admittedly not quite as clean, but would avoid these types of issues in the future, and would potentially make the code more portable to other build systems.

Feature request: Lookup/revoke tokens by accessor

Vault 6.0 introduces token accessors. When a new token is created, a secondary id is provided. This can be retained to use to refer to the token but can't be used to access the resources the token holds permissions to.

Accessors can be used for lookups and revocations but additional API endpoints have been added to cater for them. The revoke-orphan and revoke-path operations do not support accessors.

It would be great if we could add an accessor=False kwarg to the Client.lookup_token() and Client.revoke_token() methods.

Feature request: Token role support

The library does not yet support token roles (/v1/auth/token/create/<role> and family).

Add support for revoke-self endpoint.

I'm not sure how you would like this handled, or if you accept pull requests. Figured I would open an issue. Please let me know how you would like this handled going forward. :)

Vault 0.3.0 introduced the capability to revoke your own authentication token as a cleanup step. Reference https://vaultproject.io/docs/http/sys-revoke-self.html

I would like this capability added (maybe a revoke_self_token method?), and also think it would be useful to have an optional parameter to logout to revoke the token. Maybe something like logout(revoke_token=False) by default to not change functionality, but revoke_token=True would call revoke_self_token() before setting self.token = None.

Thanks for putting together this library. Very useful!

New release for the token roles feature.

Token roles (#63) is a pretty big deal.

Is it possible to cut a new release now that this feature has arrived in master so that we can depend on it easily elsewhere?

Thanks in advance

Any chance of a 0.2.7 release

Hi,

I noticed that I can't add metadata to created tokens and the fix is lurking on master, any chance you could push a new release please?

Thanks

New release to pip

Hi, I've been using hvac and running into some small issues around new or deprecated options (create-orphan, ttl vs lease) not being supported, but looking at the code here it looks like you've actually got a lot of that fixed and simply haven't sent the next release up yet. Are you planning to do that anytime soon? Would seriously make one guy's life easier. :) Thanks!

InvalidURL when getting redirected to active leader

Not sure if it is something I am doing wrong or if hvac is having some issue with redirecting:

$ vault status
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0

High-Availability Enabled: true
    Mode: standby
    Leader: https://vault-server2:8200
$ pip freeze | grep hvac
hvac==0.2.13
$ python
>>> import hvac
>>> client=hvac.Client(url='https://vault-server3:8200', verify='/etc/ssl/certs/internal-ca.cert')
>>> client.auth_github('<github_token>')
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for vault-server3.datascience.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init__.py", line 544, in auth_github
    return self.auth('/v1/auth/{0}/login'.format(mount_point), json=params, use_token=use_token)
  File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init__.py", line 547, in auth
    response = self._post(url, **kwargs).json()
  File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init__.py", line 590, in _post
    return self.__request('post', url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init__.py", line 617, in __request
    allow_redirects=False, **_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 461, in request
    prep = self.prepare_request(req)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 394, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 295, in prepare
    self.prepare_url(url, params)
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 349, in prepare_url
    raise InvalidURL(*e.args)
requests.exceptions.InvalidURL: Failed to parse: vault-server3:8200https:

If I set the url to the vault leader is works without errors:

>>> client=hvac.Client(url='https://vault-server2:8200', verify='/etc/ssl/certs/internal-ca.cert')
>>> client.auth_github('<github_token>')
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for vault-server2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
{u'lease_id': u'', u'warnings': None, u'auth': {u'lease_duration': 2592000, u'policies': [u'all-customers-read-only', u'default', u'default-user', u'systems', u'vault-testers', u'vault-user-rw'], u'client_token': u'<token>', u'accessor': u'bea40842-1acc-c7bc-a732-44eb6b1a4724', u'renewable': True, u'metadata': {u'username': u'j-lowry', u'org': u'datascienceinc'}}, u'lease_duration': 0, u'data': None, u'renewable': False}

Client Certificate CA

Is there a way to specify a CA certificate when initializing client to go along with Certificate and Private Key in the cert tuple? The Absence of a way to specify CA file is a deal breaker for this library unfortunately.

!!python/unicode

It seems that I am getting python unicode (e.g. u'Some String' ) when I pull data out of Vault. Is there a way to just have it as a regular ascii string?

Rekey tests fail against Vault 0.5.x

Due to the new requirement to provide nonce to rekey operations, the integration tests for HVAC fail against Vault 0.5.x. There should be a check around rekey operations for whether or not the nonce should be handled.

[Feature Request] Response wrapping for writes

Add response wrapping support for write().

Here's an example usecase:

In AppRole authentication pull model it would be necessary to be able to create wrapped secret-ids.

This would be done like this with the vault client:

$ vault write -f -wrap-ttl="1m" auth/approle/role/testrole/secret-id 
Key                             Value
---                             -----
wrapping_token:                 f5afc0ab-d381-077a-5ab7-9372536f7e54
wrapping_token_ttl:             1m0s
wrapping_token_creation_time:   2016-09-27 08:06:37.763722815 +0000 UTC

After wrapping_token is delivered to application, it can then fetch its secret-id:

$ vault unwrap f5afc0ab-d381-077a-5ab7-9372536f7e54
Key                 Value
---                 -----
secret_id           144e13ce-b3af-5e6a-2a53-9704ef96b432
secret_id_accessor  0ec3f65c-52ad-480b-1d92-1f96d4524fea

Finally application can get its authentication token:

$ vault write auth/approle/login role_id=5b7cce50-1b32-8e32-6fc3-f4b99ba67f18 secret_id=4fdb8884-3795-5269-c24f-82e3069864c1
Key             Value
---             -----
token           886e5dc6-ea74-82f4-ce77-579a7926ae71
token_accessor  65050e7e-5183-7807-2121-c8520c324ee0
token_duration  20m0s
token_renewable true
token_policies  [default]

Return None for keys which don't exist

I'm all for asking for forgiveness rather than permission, but raising an InvalidPath exception for every missed read seems a little excessive. Would you be opposed to returning None instead?

This is similar to how the vault-ruby client handles it.

  class Logical < Request
    # Read the secret at the given path. If the secret does not exist, +nil+
    # will be returned.
    #
    # @example
    #   Vault.logical.read("secret/password") #=> #<Vault::Secret lease_id="">
    #
    # @param [String] path
    #   the path to read
    #
    # @return [Secret, nil]
    def read(path)
      json = client.get("/v1/#{path}")
      return Secret.decode(json)
    rescue HTTPError => e
      return nil if e.code == 404
      raise
    end

https://github.com/hashicorp/vault-ruby/blob/master/lib/vault/api/logical.rb#L16-L32

Vault write cannot accept key as a variable

python
import hvac
client = hvac.Client(url="server_url", token=token)
client.is_authenticated()
True
key="Harry"
val="Potter"
client.write('secret/foo', key=val)

expected result

client.write('secret/foo', key="Potter", James="Potter", lease="1h")
>>> client.read('secret/foo')
{u'lease_id': u'', u'warnings': None, u'wrap_info': None, u'auth': None, u'lease_duration': 3600, u'request_id': u'b9f50210-3c0b-f7d0-4e04-30b2e4ff6f51', u'data': {u'Harry': u'Potter', u'lease': u'1h'}, u'renewable': False}

actual result:

client.write('secret/foo', key="Potter", James="Potter", lease="1h")
>>> client.read('secret/foo')
{u'lease_id': u'', u'warnings': None, u'wrap_info': None, u'auth': None, u'lease_duration': 3600, u'request_id': u'b9f50210-3c0b-f7d0-4e04-30b2e4ff6f51', u'data': {u'James': u'Potter', u'key': u'Potter', u'lease': u'1h'}, u'renewable': False}

How can I pass variable holding keys to vault.write method.

UnknownError exception name mismatch

After my token expires:

>>> client.is_authenticated()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/hvac/v1/__init__.py", line 270, in is_authenticated
    self.lookup_token()
  File "/usr/lib/python2.7/site-packages/hvac/v1/__init__.py", line 228, in lookup_token
    return self._get('/v1/auth/token/lookup-self').json()
  File "/usr/lib/python2.7/site-packages/hvac/v1/__init__.py", line 357, in _get
    return self.__request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/hvac/v1/__init__.py", line 400, in __request
    raise exceptions.UnknownError()
AttributeError: 'module' object has no attribute 'UnknownError'

It looks like hvac.exceptions doesn't have an UnknownError object, but does have an UnexpectedError object.

starting connection log should be debug level

[INFO ] Starting new HTTP connection (1): localhost

this should be debug level. I am using this in another application and it is logging this every time it connects cluttering the output.

Add option to skip SSL certificate verification

First of all thank you for your
This option will allow to use HVAC with vault API secured with StartSSL certs.

renew_token fails due to panic in Vault

hashicorp/vault#408

Interest in a CLI application

Is there any interest from the community in a CLI app utilizing hvac? I have found the cli that the consulate library incredibly useful for interacting with consul, and figured it might be worth adding to this as well.

Feature request: Response wrapping support

I saw that Vault 0.6 has a new response wrapping feature. This could really simplify my workflow so I was hoping to add it to HVAC.

I've been looking through the Vault docs and CLI code to get a better idea of how this feature works and think it should be straight forward to implement.

Responses from vault will be wrapped if the request is sent with a X-Vault-Wrap-TTL header. This feature could be turned on by allowing **kwargs to be passed to any client method. They could then pass them along to __request() which would set the header if wrap_ttl is provided.

Unwrapping the secret would require adding an unwrap(token) method to the client. This would temporarily set client.token to match the provided token value so that it can read the wrapped secret from cubbyhole/response.

I'm planning to get started on implementing these changes today. When I have something worthwhile I'll update this thread.

Support 501/503 status codes returned by Vault 0.6.1+

In Vault 0.6.1 the error codes for an uninitialized or sealed vault were changed:

Status codes for sealed/uninitialized Vaults have changed to 503/501 respectively. See the version-specific upgrade guide for more details.

Upon receiving ~~these status codes~~ a 501, hvac currently raises exceptions.UnexpectedError. It should raise a distinct error for each status code.

Is there a way to specify ca path?

I'm using a self-signed certificate, but did not see a way to specify the CA path to use with the client.

Ensure compatibility with HA deployments

tlsv1 alert protocol version

I'm using the hvac package with vault 0.6.1. In my script, I attempt to authenticate against our Vault server with the username/password authentication method:

import hvac

vault_username = "username"
vault_pw = "mypassword"
vault_client.auth_userpass(vault_username, vault_pw)

And I'm getting this error:

$ ./script.py
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 595, in urlopen
    chunked=chunked)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 352, in _make_request
    self._validate_conn(conn)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 831, in _validate_conn
    conn.connect()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connection.py", line 289, in connect
    ssl_version=resolved_ssl_version)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/util/ssl_.py", line 308, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/adapters.py", line 423, in send
    timeout=timeout
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 621, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./script.py", line 33, in <module>
    vault_client.auth_userpass(vault_username, vault_pw)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 481, in auth_userpass
    return self.auth('/v1/auth/{0}/login/{1}'.format(mount_point, username), json=params, use_token=use_token)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 600, in auth
    response = self._post(url, **kwargs).json()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 643, in _post
    return self.__request('post', url, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 664, in __request
    allow_redirects=False, **_kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/sessions.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/sessions.py", line 596, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)

I thought it might be a TLS negotiation mismatch between my client and our Vault server but we aren't explicitly blocking/denying requests on TLSv1.

Based on the stack trace, it looks like an issue with my Python installation but I'm able to open other SSL sites in my Python environment without any problems:

$ python
Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 26 2016, 10:47:25)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://www.howsmyssl.com/a/check")
<Response [200]>

Writes Sometimes Return Information

The PKI secret backend returns the public/private/CA certificates and key via a write.

The write call in HVAC appears to return None, and I'd like to get at its actual response to get the values back.

Example call that is currently returning None:

#!/usr/bin/env python
# vim:set nospell:

from hvac import Client
from os import environ

if __name__ == '__main__':
    client = Client(url="https://identity-1.node:8200",
                    token=environ['VAULT_TOKEN'], verify=False)
    nodecert = client.write('pki/issue/node', common_name='identity-1.node')
    print nodecert

Whereas the CLI interface returns values.

client object instantiates with a bad url

With hvac 0.2.3 on OSX

Currently, passing in a bad url doesn't throw any error or exception

Doing:

client = hvac.Client(url='http://234.244.22.2:8200', token='sometoken')

Successfully creates the client object. I think it should probably be validated in __init__ and throw a ConnectionError exception.

I'll get around to submitting a PR sometime this week if you agree with me.

Feature Request: create_token renewable flag

Could you add the ability to explicitly set the renewable field in the hvac.Client.create_token function?

Currently there is no way to limit ttl extension on a token (except maybe at the policy level). This feature would correspond with the /v1/ api

auth-token-create

Add TLS to integration tests

New API proposal

Hi all,

This library has been around for around 1.5 years now and in that time, Vault has changed quite a bit. The number of features and API surface has grown a huge amount. Just in the HVAC client class, there's 98 methods, each for a different API call. The problem is that the API is starting to become a bit unwieldy.

I'd like to get some feedback from the users of this library to figure out a better path going forward keep this client simple to use and maintainable as Vault adds more features in the future. I'd like to propose something similar to Consulate's API (a Consul client library/CLI for Python).

We could start by breaking up related functionality into subclasses and then deprecate the old monolithic methods over time, as we get closer to a 1.0 release.

Here's an example of what the new API could look like:

client = hvac.Client()

client.read('mykey')
client.write('mykey', foo='bar')

client.secret_backends.list()
client.secret_backends.enable('mysql')
client.secret_backends.disable('...')

client.token_roles.list()

client.app_roles.list()
client.app_roles.create('test')
client.app_roles.auth()

simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

For simplicity sake I have user a and b for my app_id and user_id respectively.

Traceback (most recent call last):
  File "/etc/salt/bash/vault.py", line 30, in <module>
    client.auth_app_id('a', 'b')
  File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init__.py", line 412, in auth_app_id
    return self.auth('/v1/auth/{0}/login'.format(mount_point), json=params, use_token=use_token)
  File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init__.py", line 524, in auth
    response = self._post(url, **kwargs).json()
  File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init__.py", line 561, in _post
    return self.__request('post', url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/hvac/v1/__init__.py", line 587, in __request
    errors = response.json().get('errors')
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 808, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/lib/python2.7/dist-packages/simplejson/__init__.py", line 488, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 370, in decode
    obj, end = self.raw_decode(s)
  File "/usr/lib/python2.7/dist-packages/simplejson/decoder.py", line 389, in raw_decode
    return self.scan_once(s, idx=_w(s, idx).end())
simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Simplification of my script:

import os
import sys
import hvac

client = hvac.Client(url=os.environ.get("VAULT_ADDR"), verify=False)
client.auth_app_id('a', 'b')

Uncaught exception when using unseal_multi

Hi,

today I found an uncaught exception in the library:
When you try to unseal the vault using unseal_multi, it is possible to give a faulty key. This will result in a KeyError when you check whether or not to continue unsealing the vault on line 129 .
It's not that big of a problem, but I thought I'd let you guys know.

Kind regards.

EDIT:
nevermind, I misunderstood how this library and Vault worked, the exception gets caught when the request is made.
Too bad GitHub doesn't let me remove this issue...

path parameter conflicts with 'path' key

When doing write operation on the key containing 'path' field, python gives an error about field conflict.

client.write('secret/file', path='/etc/secret/file.secret')

Possible solutions:

give an ability to provide raw json-serializable array throught the additional field
use less obvious first parameter
make path a part of keywords

is_authenticated() returns false after correct auth_app_id() call.

setup:

$ vault auth-enable app-id
$ vault write auth/app-id/map/app-id/0d1ab824-d56d-4fed-991d-5056dccf3ce1 value=root display_name=root
$ vault write auth/app-id/map/user-id/66064160138498 value=0d1ab824-d56d-4fed-991d-5056dccf3ce1

code:

>>> import hvac
>>> client = hvac.Client("http://127.0.0.1:8200")
>>> print client.auth_app_id(appID, uuid.getnode())
{u'lease_id': u'', u'lease_duration': 0, u'data': None, u'auth': {u'client_token': u'c2faafc8-fdaa-f92d-423a-6bc57debcb8a', u'lease_duration': 2592000, u'renewable': False, u'policies': [u'root'], u'metadata': {u'userid': u'sha1:e3676dc08fd42cbb74cbcd7d77ff87b5f0225efb', u'app-id':u'sha1:8b9dcb03444de65755802dd6e65dc134f6c35bff'}}, u'renewable': False}
>>> print v.client.token
u'c2faafc8-fdaa-f92d-423a-6bc57debcb8a'
>>> print client.is_authenticated()
False

Makes me sad. read/write work, even if is_authenticated lies to you. You can go forth and write, read, etc (per policy)

Certificate verify failed

I have a certificate for a domain but am referencing a local vault server over TLS in my script. I want to ignore the tls verification problem but I get the following error when I do assert client.is_authenticated()

SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Add methods for interacting with raw data

https://www.vaultproject.io/docs/http/sys-raw.html

Feature request: Any plan to support AppRole?

According to Vault documentation, AppId is now deprecated in favor of AppRole. It would be useful for hvac to support AppRole.