infisicalsdk 1.0.6__py3-none-any.whl → 1.0.8__py3-none-any.whl

infisical_sdk/resources/auth_methods/aws_auth.py

@@ -0,0 +1,134 @@
+from botocore.auth import SigV4Auth
+from botocore.awsrequest import AWSRequest
+from botocore.exceptions import NoCredentialsError
+
+from infisical_sdk.infisical_requests import InfisicalRequests
+from infisical_sdk.api_types import MachineIdentityLoginResponse
+
+from typing import Callable
+
+import requests
+import boto3
+import base64
+import json
+import os
+import datetime
+
+from typing import Dict, Any
+
+
+class AWSAuth:
+    def __init__(self, requests: InfisicalRequests, setToken: Callable[[str], None]) -> None:
+        self.requests = requests
+        self.setToken = setToken
+
+    def login(self, identity_id: str) -> MachineIdentityLoginResponse:
+        """
+        Login with AWS Authentication.
+
+        Args:
+            identity_id (str): Your Machine Identity ID that has AWS Auth configured.
+
+        Returns:
+            Dict: A dictionary containing the access token and related information.
+        """
+
+        identity_id = identity_id or os.getenv("INFISICAL_AWS_IAM_AUTH_IDENTITY_ID")
+        if not identity_id:
+            raise ValueError(
+              "Identity ID must be provided or set in the environment variable" +
+              "INFISICAL_AWS_IAM_AUTH_IDENTITY_ID."
+            )
+
+        aws_region = self.get_aws_region()
+        session = boto3.Session(region_name=aws_region)
+
+        credentials = self._get_aws_credentials(session)
+
+        iam_request_url = f"https://sts.{aws_region}.amazonaws.com/"
+        iam_request_body = "Action=GetCallerIdentity&Version=2011-06-15"
+
+        request_headers = self._prepare_aws_request(
+          iam_request_url,
+          iam_request_body,
+          credentials,
+          aws_region
+        )
+
+        requestBody = {
+          "identityId": identity_id,
+          "iamRequestBody": base64.b64encode(iam_request_body.encode()).decode(),
+          "iamRequestHeaders": base64.b64encode(json.dumps(request_headers).encode()).decode(),
+          "iamHttpRequestMethod": "POST"
+        }
+
+        result = self.requests.post(
+          path="/api/v1/auth/aws-auth/login",
+          json=requestBody,
+          model=MachineIdentityLoginResponse
+        )
+
+        self.setToken(result.data.accessToken)
+
+        return result.data
+
+    def _get_aws_credentials(self, session: boto3.Session) -> Any:
+        try:
+            credentials = session.get_credentials()
+            if credentials is None:
+                raise NoCredentialsError("AWS credentials not found.")
+            return credentials.get_frozen_credentials()
+        except NoCredentialsError as e:
+            raise RuntimeError(f"AWS IAM Auth Login failed: {str(e)}")
+
+    def _prepare_aws_request(
+      self,
+      url: str,
+      body: str,
+      credentials: Any,
+      region: str) -> Dict[str, str]:
+
+        current_time = datetime.datetime.now(datetime.timezone.utc)
+        amz_date = current_time.strftime('%Y%m%dT%H%M%SZ')
+
+        request = AWSRequest(method="POST", url=url, data=body)
+        request.headers["X-Amz-Date"] = amz_date
+        request.headers["Host"] = f"sts.{region}.amazonaws.com"
+        request.headers["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"
+        request.headers["Content-Length"] = str(len(body))
+
+        signer = SigV4Auth(credentials, "sts", region)
+        signer.add_auth(request)
+
+        return {k: v for k, v in request.headers.items() if k.lower() != "content-length"}
+
+    @staticmethod
+    def get_aws_region() -> str:
+        region = os.getenv("AWS_REGION")  # Typically found in lambda runtime environment
+        if region:
+            return region
+
+        try:
+            return AWSAuth._get_aws_ec2_identity_document_region()
+        except Exception as e:
+            raise Exception("Failed to retrieve AWS region") from e
+
+    @staticmethod
+    def _get_aws_ec2_identity_document_region(timeout: int = 5000) -> str:
+        session = requests.Session()
+        token_response = session.put(
+            "http://169.254.169.254/latest/api/token",
+            headers={"X-aws-ec2-metadata-token-ttl-seconds": "21600"},
+            timeout=timeout / 1000
+        )
+        token_response.raise_for_status()
+        metadata_token = token_response.text
+
+        identity_response = session.get(
+            "http://169.254.169.254/latest/dynamic/instance-identity/document",
+            headers={"X-aws-ec2-metadata-token": metadata_token, "Accept": "application/json"},
+            timeout=timeout / 1000
+        )
+
+        identity_response.raise_for_status()
+        return identity_response.json().get("region")

infisical_sdk/resources/auth_methods/universal_auth.py

@@ -0,0 +1,35 @@
+from infisical_sdk.api_types import MachineIdentityLoginResponse
+
+from typing import Callable
+from infisical_sdk.infisical_requests import InfisicalRequests
+class UniversalAuth:
+    def __init__(self, requests: InfisicalRequests, setToken: Callable[[str], None]):
+        self.requests = requests
+        self.setToken = setToken
+
+    def login(self, client_id: str, client_secret: str) -> MachineIdentityLoginResponse:
+        """
+        Login with Universal Auth.
+
+        Args:
+            client_id (str): Your Machine Identity Client ID.
+            client_secret (str): Your Machine Identity Client Secret.
+
+        Returns:
+            Dict: A dictionary containing the access token and related information.
+        """
+
+        requestBody = {
+            "clientId": client_id,
+            "clientSecret": client_secret
+        }
+
+        result = self.requests.post(
+          path="/api/v1/auth/universal-auth/login",
+          json=requestBody,
+          model=MachineIdentityLoginResponse
+        )
+
+        self.setToken(result.data.accessToken)
+
+        return result.data

infisical_sdk/resources/kms.py

@@ -0,0 +1,177 @@
+from infisical_sdk.api_types import SymmetricEncryption, KmsKeysOrderBy, OrderDirection
+from infisical_sdk.api_types import ListKmsKeysResponse, SingleKmsKeyResponse
+from infisical_sdk.api_types import KmsKey, KmsKeyEncryptDataResponse, KmsKeyDecryptDataResponse
+
+from infisical_sdk.infisical_requests import InfisicalRequests
+
+
+class KMS:
+    def __init__(self, requests: InfisicalRequests) -> None:
+        self.requests = requests
+
+    def list_keys(
+            self,
+            project_id: str,
+            offset: int = 0,
+            limit: int = 100,
+            order_by: KmsKeysOrderBy = KmsKeysOrderBy.NAME,
+            order_direction: OrderDirection = OrderDirection.ASC,
+            search: str = None) -> ListKmsKeysResponse:
+
+        params = {
+            "projectId": project_id,
+            "search": search,
+            "offset": offset,
+            "limit": limit,
+            "orderBy": order_by,
+            "orderDirection": order_direction,
+        }
+
+        result = self.requests.get(
+            path="/api/v1/kms/keys",
+            params=params,
+            model=ListKmsKeysResponse
+        )
+
+        return result.data
+
+    def get_key_by_id(
+            self,
+            key_id: str) -> KmsKey:
+
+        result = self.requests.get(
+            path=f"/api/v1/kms/keys/{key_id}",
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def get_key_by_name(
+            self,
+            key_name: str,
+            project_id: str) -> KmsKey:
+
+        params = {
+            "projectId": project_id,
+        }
+
+        result = self.requests.get(
+            path=f"/api/v1/kms/keys/key-name/{key_name}",
+            params=params,
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def create_key(
+            self,
+            name: str,
+            project_id: str,
+            encryption_algorithm: SymmetricEncryption,
+            description: str = None) -> KmsKey:
+
+        request_body = {
+            "name": name,
+            "projectId": project_id,
+            "encryptionAlgorithm": encryption_algorithm,
+            "description": description,
+        }
+
+        result = self.requests.post(
+            path="/api/v1/kms/keys",
+            json=request_body,
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def update_key(
+            self,
+            key_id: str,
+            name: str = None,
+            is_disabled: bool = None,
+            description: str = None) -> KmsKey:
+
+        request_body = {
+            "name": name,
+            "isDisabled": is_disabled,
+            "description": description,
+        }
+
+        result = self.requests.patch(
+            path=f"/api/v1/kms/keys/{key_id}",
+            json=request_body,
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def delete_key(
+            self,
+            key_id: str) -> KmsKey:
+
+        result = self.requests.delete(
+            path=f"/api/v1/kms/keys/{key_id}",
+            json={},
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def encrypt_data(
+            self,
+            key_id: str,
+            base64EncodedPlaintext: str) -> str:
+        """
+            Encrypt data with the specified KMS key.
+
+            :param key_id: The ID of the key to decrypt the ciphertext with
+            :type key_id: str
+            :param base64EncodedPlaintext: The base64 encoded plaintext to encrypt
+            :type plaintext: str
+
+
+            :return: The encrypted base64 encoded plaintext (ciphertext)
+            :rtype: str
+        """
+
+        request_body = {
+            "plaintext": base64EncodedPlaintext
+        }
+
+        result = self.requests.post(
+            path=f"/api/v1/kms/keys/{key_id}/encrypt",
+            json=request_body,
+            model=KmsKeyEncryptDataResponse
+        )
+
+        return result.data.ciphertext
+
+    def decrypt_data(
+            self,
+            key_id: str,
+            ciphertext: str) -> str:
+        """
+            Decrypt data with the specified KMS key.
+
+            :param key_id: The ID of the key to decrypt the ciphertext with
+            :type key_id: str
+            :param ciphertext: The encrypted base64 plaintext to decrypt
+            :type ciphertext: str
+
+
+            :return: The base64 encoded plaintext
+            :rtype: str
+        """
+
+        request_body = {
+            "ciphertext": ciphertext
+        }
+
+        result = self.requests.post(
+            path=f"/api/v1/kms/keys/{key_id}/decrypt",
+            json=request_body,
+            model=KmsKeyDecryptDataResponse
+        )
+
+        return result.data.plaintext

infisical_sdk/resources/secrets.py

@@ -0,0 +1,235 @@
+from typing import List, Union
+
+from infisical_sdk.infisical_requests import InfisicalRequests
+from infisical_sdk.api_types import ListSecretsResponse, SingleSecretResponse, BaseSecret
+from infisical_sdk.util import SecretsCache
+
+CACHE_KEY_LIST_SECRETS = "cache-list-secrets"
+CACHE_KEY_SINGLE_SECRET = "cache-single-secret"
+
+class V3RawSecrets:
+    def __init__(self, requests: InfisicalRequests, cache: SecretsCache) -> None:
+        self.requests = requests
+        self.cache = cache
+
+    def list_secrets(
+            self,
+            project_id: str,
+            environment_slug: str,
+            secret_path: str,
+            expand_secret_references: bool = True,
+            view_secret_value: bool = True,
+            recursive: bool = False,
+            include_imports: bool = True,
+            tag_filters: List[str] = []) -> ListSecretsResponse:
+
+        params = {
+            "workspaceId": project_id,
+            "environment": environment_slug,
+            "secretPath": secret_path,
+            "viewSecretValue": str(view_secret_value).lower(),
+            "expandSecretReferences": str(expand_secret_references).lower(),
+            "recursive": str(recursive).lower(),
+            "include_imports": str(include_imports).lower(),
+        }
+
+        if tag_filters:
+            params["tagSlugs"] = ",".join(tag_filters)
+
+        
+        cache_key = self.cache.compute_cache_key(CACHE_KEY_LIST_SECRETS, **params)
+        if self.cache.enabled:
+          cached_response = self.cache.get(cache_key)
+
+          if cached_response is not None and isinstance(cached_response, ListSecretsResponse):
+            return cached_response
+
+        result = self.requests.get(
+            path="/api/v3/secrets/raw",
+            params=params,
+            model=ListSecretsResponse
+        )
+
+        if self.cache.enabled:
+          self.cache.set(cache_key, result.data)
+
+        return result.data
+
+    def get_secret_by_name(
+            self,
+            secret_name: str,
+            project_id: str,
+            environment_slug: str,
+            secret_path: str,
+            expand_secret_references: bool = True,
+            include_imports: bool = True,
+            view_secret_value: bool = True,
+            version: str = None) -> BaseSecret:
+
+        params = {
+          "workspaceId": project_id,
+          "viewSecretValue": str(view_secret_value).lower(),
+          "environment": environment_slug,
+          "secretPath": secret_path,
+          "expandSecretReferences": str(expand_secret_references).lower(),
+          "include_imports": str(include_imports).lower(),
+          "version": version
+        }
+
+        cache_params = {
+           "project_id": project_id,
+           "environment_slug": environment_slug,
+           "secret_path": secret_path,
+           "secret_name": secret_name,
+        }
+
+        cache_key = self.cache.compute_cache_key(CACHE_KEY_SINGLE_SECRET, **cache_params)
+
+        if self.cache.enabled:
+          cached_response = self.cache.get(cache_key)
+
+          if cached_response is not None and isinstance(cached_response, BaseSecret):
+            return cached_response
+
+        result = self.requests.get(
+            path=f"/api/v3/secrets/raw/{secret_name}",
+            params=params,
+            model=SingleSecretResponse
+        )
+
+        if self.cache.enabled:
+          self.cache.set(cache_key, result.data.secret)
+
+        return result.data.secret
+
+    def create_secret_by_name(
+            self,
+            secret_name: str,
+            project_id: str,
+            secret_path: str,
+            environment_slug: str,
+            secret_value: str = None,
+            secret_comment: str = None,
+            skip_multiline_encoding: bool = False,
+            secret_reminder_repeat_days: Union[float, int] = None,
+            secret_reminder_note: str = None) -> BaseSecret:
+
+        requestBody = {
+          "workspaceId": project_id,
+          "environment": environment_slug,
+          "secretPath": secret_path,
+          "secretValue": secret_value,
+          "secretComment": secret_comment,
+          "tagIds": None,
+          "skipMultilineEncoding": skip_multiline_encoding,
+          "type": "shared",
+          "secretReminderRepeatDays": secret_reminder_repeat_days,
+          "secretReminderNote": secret_reminder_note
+        }
+        result = self.requests.post(
+            path=f"/api/v3/secrets/raw/{secret_name}",
+            json=requestBody,
+            model=SingleSecretResponse
+        )
+
+
+        if self.cache.enabled:
+          cache_params = {
+            "project_id": project_id,
+            "environment_slug": environment_slug,
+            "secret_path": secret_path,
+            "secret_name": secret_name,
+          }
+
+          cache_key = self.cache.compute_cache_key(CACHE_KEY_SINGLE_SECRET, **cache_params)
+          self.cache.set(cache_key, result.data.secret)
+
+          # Invalidates all list secret cache
+          self.cache.invalidate_operation(CACHE_KEY_LIST_SECRETS)
+
+        return result.data.secret
+
+    def update_secret_by_name(
+        self,
+        current_secret_name: str,
+        project_id: str,
+        secret_path: str,
+        environment_slug: str,
+        secret_value: str = None,
+        secret_comment: str = None,
+        skip_multiline_encoding: bool = False,
+        secret_reminder_repeat_days: Union[float, int] = None,
+        secret_reminder_note: str = None,
+        new_secret_name: str = None) -> BaseSecret:
+
+        requestBody = {
+          "workspaceId": project_id,
+          "environment": environment_slug,
+          "secretPath": secret_path,
+          "secretValue": secret_value,
+          "secretComment": secret_comment,
+          "newSecretName": new_secret_name,
+          "tagIds": None,
+          "skipMultilineEncoding": skip_multiline_encoding,
+          "type": "shared",
+          "secretReminderRepeatDays": secret_reminder_repeat_days,
+          "secretReminderNote": secret_reminder_note
+        }
+
+        result = self.requests.patch(
+            path=f"/api/v3/secrets/raw/{current_secret_name}",
+            json=requestBody,
+            model=SingleSecretResponse
+        )
+
+        if self.cache.enabled:
+           cache_params = {
+            "project_id": project_id,
+            "environment_slug": environment_slug,
+            "secret_path": secret_path,
+            "secret_name": current_secret_name,
+           }
+
+           cache_key = self.cache.compute_cache_key(CACHE_KEY_SINGLE_SECRET, **cache_params)
+           self.cache.unset(cache_key)
+
+           # Invalidates all list secret cache
+           self.cache.invalidate_operation(CACHE_KEY_LIST_SECRETS)
+
+        return result.data.secret
+
+    def delete_secret_by_name(
+            self,
+            secret_name: str,
+            project_id: str,
+            secret_path: str,
+            environment_slug: str) -> BaseSecret:
+
+        requestBody = {
+          "workspaceId": project_id,
+          "environment": environment_slug,
+          "secretPath": secret_path,
+          "type": "shared",
+        }
+
+        result = self.requests.delete(
+            path=f"/api/v3/secrets/raw/{secret_name}",
+            json=requestBody,
+            model=SingleSecretResponse
+        )
+
+        if self.cache.enabled:
+          cache_params = {
+            "project_id": project_id,
+            "environment_slug": environment_slug,
+            "secret_path": secret_path,
+            "secret_name": secret_name,
+          }
+
+          cache_key = self.cache.compute_cache_key(CACHE_KEY_SINGLE_SECRET, **cache_params)
+          self.cache.unset(cache_key)
+
+          # Invalidates all list secret cache
+          self.cache.invalidate_operation(CACHE_KEY_LIST_SECRETS)
+
+        return result.data.secret

infisical_sdk/util/__init__.py

@@ -0,0 +1 @@
+from .secrets_cache import SecretsCache

infisical_sdk/util/secrets_cache.py

@@ -0,0 +1,106 @@
+from typing import Dict, Tuple, Any
+
+from infisical_sdk.api_types import BaseSecret
+import json
+import time
+import threading
+from hashlib import sha256
+import pickle
+
+MAX_CACHE_SIZE = 1000
+
+class SecretsCache:
+    def __init__(self, ttl_seconds: int = 60) -> None:
+      if ttl_seconds is None or ttl_seconds <= 0:
+          self.enabled = False
+          return
+    
+      self.enabled = True
+      self.ttl = ttl_seconds
+      self.cleanup_interval = 60
+
+      self.cache: Dict[str, Tuple[bytes, float]] = {}
+
+      self.lock = threading.RLock()
+
+      self.stop_cleanup_thread = False
+      self.cleanup_thread = threading.Thread(target=self._cleanup_worker, daemon=True)
+      self.cleanup_thread.start()
+
+    def compute_cache_key(self, operation_name: str, **kwargs) -> str:
+      sorted_kwargs = sorted(kwargs.items())
+      json_str = json.dumps(sorted_kwargs)
+
+      return f"{operation_name}-{sha256(json_str.encode()).hexdigest()}"
+  
+    def get(self, cache_key: str) -> Any:
+      if not self.enabled:
+        return None
+
+      with self.lock:
+          if cache_key in self.cache:
+              serialized_value, timestamp = self.cache[cache_key]
+              if time.time() - timestamp <= self.ttl:
+                  return pickle.loads(serialized_value)
+              else:
+                  self.cache.pop(cache_key, None)
+                  return None
+          else:
+              return None
+            
+            
+    def set(self, cache_key: str, value: Any) -> None:
+      if not self.enabled:
+        return
+
+      with self.lock:
+        serialized_value = pickle.dumps(value)
+        self.cache[cache_key] = (serialized_value, time.time())
+
+        if len(self.cache) > MAX_CACHE_SIZE:
+          oldest_key = min(self.cache.keys(), key=lambda k: self.cache[k][1]) # oldest key based on timestamp
+          self.cache.pop(oldest_key)
+
+
+
+    def unset(self, cache_key: str) -> None:
+      if not self.enabled:
+        return
+
+      with self.lock:
+        self.cache.pop(cache_key, None)
+
+    def invalidate_operation(self, operation_name: str) -> None:
+      if not self.enabled:
+        return
+
+      with self.lock:
+        for key in list(self.cache.keys()):
+          if key.startswith(operation_name):
+            self.cache.pop(key, None)
+
+
+    def _cleanup_expired_items(self) -> None:
+      """Remove all expired items from the cache."""
+      current_time = time.time()
+      with self.lock:
+          expired_keys = [
+              key for key, (_, timestamp) in self.cache.items() 
+              if current_time - timestamp > self.ttl
+          ]
+          for key in expired_keys:
+              self.cache.pop(key, None)
+  
+    def _cleanup_worker(self) -> None:
+      """Background worker that periodically cleans up expired items."""
+      while not self.stop_cleanup_thread:
+        time.sleep(self.cleanup_interval)
+        self._cleanup_expired_items()
+
+    def __del__(self) -> None:
+      """Ensure thread is properly stopped when the object is garbage collected."""
+      self.stop_cleanup_thread = True
+      if self.enabled and self.cleanup_thread.is_alive():
+        self.cleanup_thread.join(timeout=1.0)
+        
+        

{infisicalsdk-1.0.6.dist-info → infisicalsdk-1.0.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: infisicalsdk
-Version: 1.0.6
+Version: 1.0.8
 Summary: Infisical API Client
 Home-page: https://github.com/Infisical/python-sdk-official
 Author: Infisical