#!/usr/bin/env python
"""LDAP methods module."""
from hvac import utils
from hvac.api.vault_api_base import VaultApiBase
DEFAULT_MOUNT_POINT = "ldap"
[docs]class Ldap(VaultApiBase):
"""LDAP Secrets Engine (API).
Reference: https://www.vaultproject.io/api/secret/ldap/index.html
"""
[docs] def read_config(self, mount_point=DEFAULT_MOUNT_POINT):
"""Read the configured shared information for the ldap secrets engine.
Credentials will be omitted from returned data.
Supported methods:
GET: /{mount_point}/config. Produces: 200 application/json
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the request.
:rtype: dict
"""
api_path = utils.format_url("/v1/{mount_point}/config", mount_point=mount_point)
return self._adapter.get(
url=api_path,
)
[docs] def rotate_root(self, mount_point=DEFAULT_MOUNT_POINT):
"""Rotate the root password for the binddn entry used to manage the ldap secrets engine.
Supported methods:
POST: /{mount_point}/rotate root. Produces: 200 application/json
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the request.
:rtype: dict
"""
api_path = utils.format_url(
"/v1/{mount_point}/rotate-root", mount_point=mount_point
)
return self._adapter.post(url=api_path)
[docs] def create_or_update_static_role(
self,
name,
username=None,
dn=None,
rotation_period=None,
mount_point=DEFAULT_MOUNT_POINT,
):
"""This endpoint creates or updates the ldap static role definition.
:param name: Specifies the name of an existing static role against which to create this ldap credential.
:type name: str | unicode
:param username: The name of a pre-existing service account in LDAP that maps to this static role.
This value is required on create and cannot be updated.
:type username: str | unicode
:param dn: Distinguished name of the existing LDAP entry to manage password rotation for (takes precedence over username).
Optional but cannot be modified after creation.
:type dn: str | unicode
:param rotation_period: How often Vault should rotate the password.
This is provided as a string duration with a time suffix like "30s" or "1h" or as seconds.
If not provided, the default Vault rotation_period is used.
:type rotation_period: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/static-role/{}", mount_point, name)
params = {"username": username, "rotation_period": rotation_period}
params.update(utils.remove_nones({"dn": dn}))
return self._adapter.post(
url=api_path,
json=params,
)
[docs] def read_static_role(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint queries for information about an ldap static role with the given name.
If no role exists with that name, a 404 is returned.
:param name: Specifies the name of the static role to query.
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/static-role/{}", mount_point, name)
return self._adapter.get(
url=api_path,
)
[docs] def list_static_roles(self, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint lists all existing static roles in the secrets engine.
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/static-role", mount_point)
return self._adapter.list(
url=api_path,
)
[docs] def delete_static_role(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint deletes an ldap static role with the given name.
Even if the role does not exist, this endpoint will still return a successful response.
:param name: Specifies the name of the role to delete.
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/static-role/{}", mount_point, name)
return self._adapter.delete(
url=api_path,
)
[docs] def generate_static_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint retrieves the previous and current LDAP password for
the associated account (or rotate if required)
:param name: Specifies the name of the static role to request credentials from.
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/static-cred/{}", mount_point, name)
return self._adapter.get(
url=api_path,
)
[docs] def rotate_static_credentials(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""This endpoint rotates the password of an existing static role.
:param name: Specifies the name of the static role to rotate credentials for.
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the request.
:rtype: requests.Response
"""
api_path = utils.format_url("/v1/{}/rotate-role/{}", mount_point, name)
return self._adapter.post(
url=api_path,
)