knox.backend¶

Apache Software License 2.0

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

class knox.backend.Store(settings, engine_name: str = 'vault')[source]¶

Bases: object

Abstract class to generalize access to the different stores

_engine_map = {'aws': <class 'knox.backend.store_acm.ACMStoreEngine'>, 'file': <class 'knox.backend.store_file.FileStoreEngine'>, 'vault': <class 'knox.backend.store_vault.VaultStoreEngine'>}¶

delete(path: str, name: str) → bool[source]¶: Remove the object from the store

find(pattern: str) → list[source]¶: Given a pattern, return collection of all objects Search patterns : abc.8x8.com, abc.8x8.com/, 8x8.com/

get(path: str, name: str, type=None) → knox.backend.store_object.StoreObject[source]¶: Given path read object

save(obj: knox.backend.store_object.StoreObject) → bool[source]¶: Save the given object to persistence

subjectaltfind(pattern: str) → list[source]¶: Fetch the certificate information based on subject alternative name

class knox.backend.StoreObject(name: str, path: str, body: str, info: str, type=None)[source]¶

Bases: object

Metadata interface for objects being persisted in a backend

_body = None¶: Content that will be persisted

_data = None¶: Complete map of object

_info = None¶: Metadata about the object being stored

_mount = None¶: Mount point

_name = None¶: Name of the objects store key

_path = None¶: Path from store mount point to find store key

_type = None¶: A way to classify StoreObjects

_version = None¶: Store revision

body¶: Content to persist, typically JSON

data¶

info¶: Object metadata

static md5(obj: {}) → str[source]¶

name¶: Object name

path¶: Path attribute

path_name¶: Convenience method to generate path/name for store

type¶

version¶: Object version

class knox.backend.StoreEngine[source]¶

Bases: object

The abstract persistence strategy for storing the certificates

close() → bool[source]¶: Close access to the persistence

delete(path: str, name: str) → bool[source]¶: Delete from the store

initialize() → bool[source]¶: Ensure the store is configured properly

open() → bool[source]¶: Initialize access to the persistence

read(path: str, name: str, type=None) → knox.backend.store_object.StoreObject[source]¶: Read from the store

write(obj: knox.backend.store_object.StoreObject) → bool[source]¶: Write to the store

class knox.backend.VaultStoreEngine(settings)[source]¶

Bases: knox.backend.store_engine.StoreEngine

Vault implementation of the StoreEngine interface

close() → bool[source]¶: Ensure we close the vault connection

delete(path: str, name: str) → bool¶: Delete from the store

find(pattern) → list[source]¶

Search certificate info for a given search pattern

Parameters:	pattern (str) – Search glob pattern ex: , abc.8x8.com, abc.8x8.com/, 8x8.com/*
Returns:	list

initialize() → bool[source]¶: Ensure the Vault client is initialized

open() → bool[source]¶: Ensure the Vault client is connected

read(path: str, name: str, type=None) → knox.backend.store_object.StoreObject[source]¶

Using the provided path and name retrieve the data from the store and create a new StoreObject

Parameters:	path (str) – Store path to the object name (str) – Name of the object to retrieve type (str) – StoreObject type, if known
Returns:	StoreObject

write(obj: knox.backend.store_object.StoreObject) → bool[source]¶

Given a StoreObject, store it into vault using mount/path/name == body,info

Parameters:	obj (StoreObject) – The StoreObject to persist
Returns:	bool

class knox.backend.VaultClient(settings: dynaconf.base.LazySettings)[source]¶

Bases: object

Client commands not available via hvac

_VaultClient__headers = {'Content-Type': 'application/json', 'X-Vault-Token': ''}¶

__approle = None¶: Application Role ID

__mount = None¶: Engine mount path

__mounts = None¶: Map of Vault mounts

__secretid = None¶: Application Role Secret ID

__token = None¶: Auth token

__url = None¶: Vault server URL

_get(path: str) → <module 'json' from '/home/docs/.pyenv/versions/3.7.9/lib/python3.7/json/__init__.py'>[source]¶

GET REST API wrapper method

Parameters:	path (String) – Vault API to query
Returns:	JSON paylod

_post(path: str, data: <module 'json' from '/home/docs/.pyenv/versions/3.7.9/lib/python3.7/json/__init__.py'>) → <module 'json' from '/home/docs/.pyenv/versions/3.7.9/lib/python3.7/json/__init__.py'>[source]¶

POST REST API wrapper method

Parameters:	path (String) – Vault API to change or create data (JSON) – Required request body
Returns:	requests.Response object

_put(path: str, data: <module 'json' from '/home/docs/.pyenv/versions/3.7.9/lib/python3.7/json/__init__.py'>) → requests.models.Response[source]¶

PUT REST API wrapper method

Parameters:	path (String) – Vault API to change or create data (JSON) – Required request body
Returns:	requests.Response object

connect() → bool[source]¶: Knox uses an approle scheme to authenticate with Vault. This requires fetching a fresh, short lived, API token for every call to the API.

get_mounts() → <module 'json' from '/home/docs/.pyenv/versions/3.7.9/lib/python3.7/json/__init__.py'>[source]¶

Refresh set of mounts from Vault

Returns:	JSON

initialize() → bool[source]¶

During initialization, if in admin mode, ensure the kv mount point has been registered with Vault. To enable admin mode use the hidden param –admin with any command.

knox –admin store find

logout() → bool[source]¶

match = 'False'¶

mount¶

new_mount(mount: str) → bool[source]¶

Will create a vault mount of type k/v V2 if it doesn’t exist

Parameters:	mount (String) – Name of the Vault K/V Secret Engine
Returns:	Boolean

read(path: str, name: str, type: str = None) → tuple[source]¶

Given a path and name retrieve a tuple of dictionaries to create a StoreObject cert_body cert_info

Parameters:	path (str) – The path where the StoreObjects data is stored name (str) – Name of the StoreObject to retrieve type (str) – The type of StoreObject i.e. PEM

search(rootpath: str, rootkey: str, searchresults: list, pattern: str = None) → list[source]¶

Search for ‘cert_info’ for a given vault path

Parameters:	rootpath (str) – Beginning search path rootkey (str) – Used to get commonname from search path searchresults (list) – Stores the search results..default is empty pattern (str) – Unaltered search pattern
Returns:	list

token¶

upsert(obj: knox.backend.store_object.StoreObject) → bool[source]¶

Given a StoreObject create or update it into Vault. Metadata and content are stored separately to allow querying of non sensitive details.

param obj: The object to store

type obj: StoreObject

return: Boolean

url¶

class knox.backend.FileStoreEngine(settings)[source]¶

Bases: knox.backend.store_engine.StoreEngine

close() → bool¶: Close access to the persistence

delete(path: str, name: str) → bool¶: Delete from the store

initialize() → bool¶: Ensure the store is configured properly

open() → bool¶: Initialize access to the persistence

read(path: str, name: str, type=None) → knox.backend.store_object.StoreObject¶: Read from the store

write(obj: knox.backend.store_object.StoreObject) → bool¶: Write to the store