Make plaintext and ciphertext optional for batch operations:

The Vault API requires setting `plaintext` and `ciphertext` for the encrypt and decrypt API, even though they are ignored when `batch_input` is set. This means that end users have to include an empty argument when doing batch operations, which is a bit annoying.
hvac · Sep 9, 2023 · 5adc496 · 5adc496
1 parent 6ae1d21
commit 5adc496
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/hvac/api/secrets_engines/transit.py b/hvac/api/secrets_engines/transit.py
@@ -314,7 +314,7 @@ def export_key(self, name, key_type, version=None, mount_point=DEFAULT_MOUNT_POI
     def encrypt_data(
         self,
         name,
-        plaintext,
+        plaintext=None,
         context=None,
         key_version=None,
         nonce=None,
@@ -335,7 +335,7 @@ def encrypt_data(
 
         :param name: Specifies the name of the encryption key to encrypt against. This is specified as part of the URL.
         :type name: str | unicode
-        :param plaintext: Specifies base64 encoded plaintext to be encoded.
+        :param plaintext: Specifies base64 encoded plaintext to be encoded. Not needed if batch_input is set.
         :type plaintext: str | unicode
         :param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is
             enabled for this key.
@@ -367,6 +367,8 @@ def encrypt_data(
         :return: The JSON response of the request.
         :rtype: dict
         """
+        if not plaintext and not batch_input:
+            raise ValueError("plaintext must be specified unless batch_input is set")
         params = {
             "plaintext": plaintext,
         }
@@ -395,7 +397,7 @@ def encrypt_data(
     def decrypt_data(
         self,
         name,
-        ciphertext,
+        ciphertext=None,
         context=None,
         nonce=None,
         batch_input=None,
@@ -408,7 +410,7 @@ def decrypt_data(
 
         :param name: Specifies the name of the encryption key to decrypt against. This is specified as part of the URL.
         :type name: str | unicode
-        :param ciphertext: the ciphertext to decrypt.
+        :param ciphertext: The ciphertext to decrypt. Not needed if batch_input is set.
         :type ciphertext: str | unicode
         :param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is
             enabled.
@@ -426,6 +428,8 @@ def decrypt_data(
         :return: The JSON response of the request.
         :rtype: dict
         """
+        if not ciphertext and not batch_input:
+            raise ValueError("ciphertext must be specified unless batch_input is set")
         params = {
             "ciphertext": ciphertext,
         }

diff --git a/tests/integration_tests/api/secrets_engines/test_transit.py b/tests/integration_tests/api/secrets_engines/test_transit.py
@@ -989,3 +989,11 @@ def test_trim_key(self, label, min_version=2, raises=False, exception_message=""
                 first=bool(trim_key_response),
                 second=True,
             )
+
+    def test_encrypt_data_requires_plaintext_arg_if_not_in_batch_mode(self):
+        with self.assertRaises(ValueError, msg="plaintext must be specified"):
+            self.client.secrets.transit.encrypt_data(name="any-key")
+
+    def test_decrypt_data_requires_cipher_arg_if_not_in_batch_mode(self):
+        with self.assertRaises(ValueError, msg="ciphertext must be specified"):
+            self.client.secrets.transit.decrypt_data(name="any-key")