Merge remote-tracking branch 'upstream/master'

Author: lionelz

.travis.yml

@@ -5,6 +5,8 @@ matrix:
   include:
   - python: '3.6'
     env: TOXENV=py36 VAULT_BRANCH=release RELEASE=yes
+  - python: '3.6'
+    env: TOXENV=py36-flake8 VAULT_BRANCH=release RELEASE=yes
   - python: '3.6'
     env: TOXENV=py36 VAULT_BRANCH=head
   allow_failures:

CHANGELOG.md

@@ -1,3 +1,47 @@
+# Changelog
+
+## 0.6.0 (June 14, 2018)
+
+BACKWARDS COMPATIBILITY NOTICE:
+
+* Token revocation now sends the token in the request payload. Requires Vault >0.6.5
+* Various methods have new and/or re-ordered keyword arguments. Code calling these methods with positional arguments
+may need to be modified.
+
+IMPROVEMENTS:
+
+* Ensure mount_point Parameter for All AWS EC2 Methods [GH-195]
+* Add Methods for Auth Backend Tuning [GH-193]
+* Customizable approle path / mount_point [GH-190]
+* Add more methods for the userpass backend [GH-175]
+* Add transit signature_algorithm parameter [GH-174]
+* Add auth_iam_aws() method [GH-170]
+* lookup_token function POST token not GET [GH-164]
+* Create_role_secret_id with wrap_ttl & fix get_role_secret_id_accessor [GH-159]
+* Fixed json() from dict bug and added additional arguments on auth_ec2() method [GH-157]
+* Support specifying period when creating EC2 roles [GH-140]
+* Added support for /sys/generate-root endpoint [GH-131] / [GH-199]
+* Added "auth_cubbyhole" method [GH-119]
+* Send token/accessor as a payload to avoid being logged [GH-117]
+* Add AppRole delete_role method [GH-112]
+
+
+BUG FIXES:
+
+* Always Specify auth_type In create_ec2_role [GH-197]
+* Fix "double parasing" of JSON response in auth_ec2 method [GH-181]
+
+Thanks to @freimer, @ramiamar, @marcoslopes, @ianwestcott, @marc-sensenich, @sunghyun-lee, @jnaulty, @sijis,
+@Myles-Steinhauser-Bose, @oxmane, @ltm, @bchannak, @tkinz27, @crmulliner, for their lovely contributions.
+
+## 0.5.0 (February 20, 2018)
+
+IMPROVEMENTS:
+
+* Added `disallowed_policies` parameter to `create_token_role` method [GH-169]
+
+Thanks to @morganda for their lovely contribution.
+
 ## 0.4.0 (February 1, 2018)
 
 IMPROVEMENTS:
@@ -9,7 +53,7 @@ BUG FIXES:
 
 * Documentation is now more accurate [GH-165] / [GH-154]
 
-Thanks to @ti-mo, @dhoeric, @RAbraham, @lhdumittan, @ahsanali for 
+Thanks to @ti-mo, @dhoeric, @RAbraham, @lhdumittan, @ahsanali for
 their lovely contributions.
 
 ## 0.3.0 (November 9, 2017)

README.md

@@ -61,6 +61,16 @@ await client.auth_app_id('MY_APP_ID', 'MY_USER_ID')
 # App Role
 await client.auth_approle('MY_ROLE_ID', 'MY_SECRET_ID')
 
+# AWS (IAM)
+client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY')
+client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY', 'MY_AWS_SESSION_TOKEN')
+client.auth_aws_iam('MY_AWS_ACCESS_KEY_ID', 'MY_AWS_SECRET_ACCESS_KEY', role='MY_ROLE')
+
+import boto3
+session = boto3.Session()
+credentials = session.get_credentials()
+client.auth_aws_iam(credentials.access_key, credentials.secret_key, credentials.token)
+
 # GitHub
 await client.auth_github('MY_GITHUB_TOKEN')
 
@@ -228,8 +238,9 @@ print(await client.is_sealed()) # => True
 Integration tests will automatically start a Vault server in the background. Just make sure
 the latest `vault` binary is available in your `PATH`.
 
-1. [Install Vault](https://vaultproject.io/docs/install/index.html)
+1. [Install Vault](https://vaultproject.io/docs/install/index.html) or execute `VAULT_BRANCH=release scripts/install-vault-release.sh`
 2. [Install Tox](http://tox.readthedocs.org/en/latest/install.html)
+3. Run tests: `make test`
 
 ## Contributing
 

async_hvac/__init__.py

@@ -1,2 +1,3 @@
-from async_hvac.v1 import Client
-from async_hvac.v1 import async_to_sync
+from async_hvac.v1 import AsyncClient
+# assert for flake8's sake
+assert AsyncClient

async_hvac/aws_utils.py

@@ -0,0 +1,44 @@
+import hmac
+from datetime import datetime
+from hashlib import sha256
+
+
+class SigV4Auth(object):
+    def __init__(self, access_key, secret_key, session_token=None):
+        self.access_key = access_key
+        self.secret_key = secret_key
+        self.session_token = session_token
+
+    def add_auth(self, method, headers, body):
+        if body:
+            headers['Content-Length'] = str(len(body))
+        timestamp = datetime.utcnow().strftime('%Y%m%dT%H%M%SZ')
+        headers['X-Amz-Date'] = timestamp
+
+        if self.session_token:
+            headers['X-Amz-Security-Token'] = self.session_token
+
+        # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+        canonical_headers = ''.join('{0}:{1}\n'.format(k.lower(), headers[k]) for k in sorted(headers))
+        signed_headers = ';'.join(k.lower() for k in sorted(headers))
+        payload_hash = sha256(body.encode('utf-8')).hexdigest()
+        canonical_request = '\n'.join([method, '/', '', canonical_headers, signed_headers, payload_hash])
+
+        # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
+        algorithm = 'AWS4-HMAC-SHA256'
+        credential_scope = '/'.join([timestamp[0:8], 'us-east-1', 'sts', 'aws4_request'])
+        canonical_request_hash = sha256(canonical_request.encode('utf-8')).hexdigest()
+        string_to_sign = '\n'.join([algorithm, timestamp, credential_scope, canonical_request_hash])
+
+        # https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
+        key = 'AWS4{0}'.format(self.secret_key).encode('utf-8')
+        key = hmac.new(key, timestamp[0:8].encode('utf-8'), sha256).digest()
+        key = hmac.new(key, 'us-east-1'.encode('utf-8'), sha256).digest()
+        key = hmac.new(key, 'sts'.encode('utf-8'), sha256).digest()
+        key = hmac.new(key, 'aws4_request'.encode('utf-8'), sha256).digest()
+        signature = hmac.new(key, string_to_sign.encode('utf-8'), sha256).hexdigest()
+
+        # https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html
+        authorization = '{0} Credential={1}/{2}, SignedHeaders={3}, Signature={4}'.format(
+            algorithm, self.access_key, credential_scope, signed_headers, signature)
+        headers['Authorization'] = authorization

async_hvac/exceptions.py

@@ -7,29 +7,38 @@ def __init__(self, message=None, errors=None):
 
         super(VaultError, self).__init__(message)
 
+
 class InvalidRequest(VaultError):
     pass
 
+
 class Unauthorized(VaultError):
     pass
 
+
 class Forbidden(VaultError):
     pass
 
+
 class InvalidPath(VaultError):
     pass
 
+
 class RateLimitExceeded(VaultError):
     pass
 
+
 class InternalServerError(VaultError):
     pass
 
+
 class VaultNotInitialized(VaultError):
     pass
 
+
 class VaultDown(VaultError):
     pass
 
+
 class UnexpectedError(VaultError):
     pass