-
Notifications
You must be signed in to change notification settings - Fork 0
/
entry.py
98 lines (82 loc) · 2.74 KB
/
entry.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
"""Top-level functions"""
from .gh import GitHubApp, TokenResponse
from .vault import VaultTransit
def import_app_key(
pem_key: bytes | str,
*,
key_name: str,
vault_addr: str,
vault_token: str,
transit_backend: str = "transit",
revoke_vault_token: bool = False,
) -> None:
"""
Import GitHub App key into Vault's Transit engine
:param pem_key: The App's PEM formated private RSA key.
:param key_name: Name which Vault's Transit Engine will know the key by.
:param vault_addr: Vault instance VAULT_ADDR.
:param vault_token: Vault instance VAULT_TOKEN.
:param transit_backend: Transit backend mount path. Defaults to "transit".
:param revoke_vault_token: Revoke `vault_token` once done? Defaults to False.
"""
if isinstance(pem_key, str):
pem_key = pem_key.encode()
transit = VaultTransit(
vault_addr=vault_addr,
vault_token=vault_token,
transit_backend=transit_backend,
)
transit.import_key(
key_name=key_name,
pem_app_key=pem_key,
)
if revoke_vault_token:
transit.revoke_token()
def issue_access_token(
*,
key_name: str,
vault_addr: str,
vault_token: str,
app_id: int | str,
account: str,
permissions: None | dict[str, str] = None,
repositories: None | list[str] = None,
transit_backend: str = "transit",
revoke_vault_token: bool = False,
) -> TokenResponse:
"""
Issue GitHub Access Token
:param key_name: Name which Vault's Transit Engine knows the App key by.
:param vault_addr: Vault instance VAULT_ADDR.
:param vault_token: Vault instance VAULT_TOKEN.
:param app_id: GitHub App ID.
:param account: GitHub account to access, where the App is installed.
:param permissions: Optionally scope (down) token permissions.
:param repositories: Optionally limit accessible repositories.
:param transit_backend: Vault Transit backend mount path. Defaults to "transit".
:param revoke_vault_token: Revoke `vault_token` once done? Defaults to False.
:return: The requested access token; together with its expiry
time, permission scope and optionally covered repositories.
"""
if isinstance(app_id, int):
app_id = str(app_id)
transit = VaultTransit(
vault_addr=vault_addr,
vault_token=vault_token,
transit_backend=transit_backend,
)
jwt: str = transit.sign_jwt(
key_name=key_name,
app_id=app_id,
)
ghapp = GitHubApp(
account=account,
jwt_token=jwt,
)
access_token: TokenResponse = ghapp.issue_token(
permissions=permissions,
repositories=repositories,
)
if revoke_vault_token:
transit.revoke_token()
return access_token