Source code for consul.api.acl
from __future__ import annotations
import json
from typing import Any, TypedDict
from consul.api.acl.auth_method import AuthMethod
from consul.api.acl.binding_rule import BindingRule
from consul.api.acl.policy import Policy
from consul.api.acl.role import Role
from consul.api.acl.templated_policy import TemplatedPolicy
from consul.api.acl.token import AclToken, Token
from consul.callback import CB
[docs]
class AclLoginResult(TypedDict, total=False):
AccessorID: str
SecretID: str
Description: str
Roles: list[dict[str, str]]
ServiceIdentities: list[dict[str, Any]]
Local: bool
AuthMethod: str
CreateTime: str
Hash: str
CreateIndex: int
ModifyIndex: int
[docs]
class ACL:
def __init__(self, agent) -> None:
self.agent = agent
self.token = self.tokens = Token(agent)
self.policy = self.policies = Policy(agent)
self.templated_policy = self.templated_policies = TemplatedPolicy(agent)
self.role = self.roles = Role(agent)
self.auth_method = self.auth_methods = AuthMethod(agent)
self.binding_rule = self.binding_rules = BindingRule(agent)
[docs]
def bootstrap(self, bootstrap_secret: str | None = None) -> AclToken:
"""
Performs a one-time bootstrap of the ACL system, creating the initial management token.
Only succeeds once per cluster; fails with ACLPermissionDenied if already bootstrapped.
Requires no token.
:param bootstrap_secret: Optional pre-generated SecretID for the bootstrap token
(supported on newer Consul versions; omit to let Consul generate one).
:return: The bootstrap (initial management) token information
"""
json_data: dict[str, Any] = {}
if bootstrap_secret:
json_data["BootstrapSecret"] = bootstrap_secret
return self.agent.http.put(CB.json(), "/v1/acl/bootstrap", data=json.dumps(json_data))
[docs]
def login(
self,
auth_method: str,
bearer_token: str,
meta: dict[str, str] | None = None,
) -> AclLoginResult:
"""
Exchanges an auth method bearer token for a newly-created Consul ACL token.
Requires no token; the bearer token itself is validated against *auth_method*.
:param auth_method: The name of the auth method to authenticate against.
:param bearer_token: The bearer token to present to the auth method (e.g. a Kubernetes
service account token or a signed JWT).
:param meta: Optional key/value metadata to link to the created token.
:return: The newly-created token information
"""
json_data: dict[str, Any] = {"AuthMethod": auth_method, "BearerToken": bearer_token}
if meta:
json_data["Meta"] = meta
return self.agent.http.post(CB.json(), "/v1/acl/login", data=json.dumps(json_data))
[docs]
def logout(self, token: str) -> bool:
"""
Destroys a token created via :meth:`login`. Requires no privileges beyond possessing
*token* itself.
:param token: The secret ID of the token to destroy (not the client's default token).
:return: True if the token was destroyed
"""
headers = self.agent.prepare_headers(token)
return self.agent.http.post(CB.boolean(), "/v1/acl/logout", headers=headers)