infisicalsdk 1.0.6__tar.gz → 1.0.7__tar.gz

{infisicalsdk-1.0.6 → infisicalsdk-1.0.7}/PKG-INFO

@@ -1,6 +1,6 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: infisicalsdk
-Version: 1.0.6
+Version: 1.0.7
 Summary: Infisical API Client
 Home-page: https://github.com/Infisical/python-sdk-official
 Author: Infisical

{infisicalsdk-1.0.6 → infisicalsdk-1.0.7}/README.md

@@ -45,12 +45,29 @@ client.auth.universal_auth.login(
 secrets = client.secrets.list_secrets(project_id="<project-id>", environment_slug="dev", secret_path="/")
 ```
 
+## InfisicalSDKClient Parameters
+
+The `InfisicalSDKClient` takes the following parameters, which are used as a global configuration for the lifetime of the SDK instance.
+
+- **host** (`str`, _Optional_): The host URL for your Infisical instance. Defaults to `https://app.infisical.com`.
+- **token** (`str`, _Optional_): Specify an authentication token to use for all requests. If provided, you will not need to call any of the `auth` methods. Defaults to `None`
+- **cache_ttl** (`int`, _Optional_): The SDK has built-in client-side caching for secrets, greatly improving response times. By default, secrets are cached for 1 minute (60 seconds). You can disable caching by setting `cache_ttl` to `None`, or adjust the duration in seconds as needed.
+
+```python
+client = InfisicalSDKClient(
+  host="https://app.infisical.com", # Defaults to https://app.infisical.com
+  token="<optional-auth-token>", # If not set, use the client.auth() methods.
+  cache_ttl = 300 # `None` to disable caching
+)
+```
+
 ## Core Methods
 
 The SDK methods are organized into the following high-level categories:
 
 1. `auth`: Handles authentication methods.
 2. `secrets`: Manages CRUD operations for secrets.
+3. `kms`: Perform cryptographic operations with Infisical KMS.
 
 ### `auth`
 

{infisicalsdk-1.0.6 → infisicalsdk-1.0.7}/infisical_sdk/__init__.py

@@ -1,3 +1,3 @@
 from .client import InfisicalSDKClient # noqa
 from .infisical_requests import InfisicalError # noqa
-from .api_types import SingleSecretResponse, ListSecretsResponse, BaseSecret # noqa
+from .api_types import SingleSecretResponse, ListSecretsResponse, BaseSecret, SymmetricEncryption # noqa

infisicalsdk-1.0.7/infisical_sdk/client.py

@@ -0,0 +1,40 @@
+from .infisical_requests import InfisicalRequests
+
+from infisical_sdk.resources import Auth
+from infisical_sdk.resources import V3RawSecrets
+from infisical_sdk.resources import KMS
+
+from infisical_sdk.util import SecretsCache
+
+class InfisicalSDKClient:
+    def __init__(self, host: str, token: str = None, cache_ttl: int = 60):
+        """
+        Initialize the Infisical SDK client.
+
+        :param str host: The host URL for your Infisical instance. Will default to `https://app.infisical.com` if not specified.
+        :param str token: The authentication token for the client. If not specified, you can use the `auth` methods to authenticate.
+        :param int cache_ttl: The time to live for the secrets cache. This is the number of seconds that secrets fetched from the API will be cached for. Set to `None` to disable caching. Defaults to `60` seconds.
+        """
+        
+        self.host = host
+        self.access_token = token
+
+        self.api = InfisicalRequests(host=host, token=token)
+        self.cache = SecretsCache(cache_ttl)
+        self.auth = Auth(self.api, self.set_token)
+        self.secrets = V3RawSecrets(self.api, self.cache)
+        self.kms = KMS(self.api)
+
+    def set_token(self, token: str):
+        """
+        Set the access token for future requests.
+        """
+        self.api.set_token(token)
+        self.access_token = token
+
+    def get_token(self):
+        """
+        Set the access token for future requests.
+        """
+        return self.access_token
+

infisicalsdk-1.0.7/infisical_sdk/resources/__init__.py

@@ -0,0 +1,3 @@
+from .secrets import V3RawSecrets
+from .kms import KMS
+from .auth import Auth

infisicalsdk-1.0.7/infisical_sdk/resources/auth.py

@@ -0,0 +1,10 @@
+from infisical_sdk.infisical_requests import InfisicalRequests
+from infisical_sdk.resources.auth_methods import AWSAuth
+from infisical_sdk.resources.auth_methods import UniversalAuth
+
+from typing import Callable
+class Auth:
+    def __init__(self, requests: InfisicalRequests, setToken: Callable[[str], None]):
+        self.requests = requests
+        self.aws_auth = AWSAuth(requests, setToken)
+        self.universal_auth = UniversalAuth(requests, setToken)

infisicalsdk-1.0.7/infisical_sdk/resources/auth_methods/__init__.py

@@ -0,0 +1,2 @@
+from .aws_auth import AWSAuth
+from .universal_auth import UniversalAuth

infisicalsdk-1.0.7/infisical_sdk/resources/auth_methods/aws_auth.py

@@ -0,0 +1,134 @@
+from botocore.auth import SigV4Auth
+from botocore.awsrequest import AWSRequest
+from botocore.exceptions import NoCredentialsError
+
+from infisical_sdk.infisical_requests import InfisicalRequests
+from infisical_sdk.api_types import MachineIdentityLoginResponse
+
+from typing import Callable
+
+import requests
+import boto3
+import base64
+import json
+import os
+import datetime
+
+from typing import Dict, Any
+
+
+class AWSAuth:
+    def __init__(self, requests: InfisicalRequests, setToken: Callable[[str], None]) -> None:
+        self.requests = requests
+        self.setToken = setToken
+
+    def login(self, identity_id: str) -> MachineIdentityLoginResponse:
+        """
+        Login with AWS Authentication.
+
+        Args:
+            identity_id (str): Your Machine Identity ID that has AWS Auth configured.
+
+        Returns:
+            Dict: A dictionary containing the access token and related information.
+        """
+
+        identity_id = identity_id or os.getenv("INFISICAL_AWS_IAM_AUTH_IDENTITY_ID")
+        if not identity_id:
+            raise ValueError(
+              "Identity ID must be provided or set in the environment variable" +
+              "INFISICAL_AWS_IAM_AUTH_IDENTITY_ID."
+            )
+
+        aws_region = self.get_aws_region()
+        session = boto3.Session(region_name=aws_region)
+
+        credentials = self._get_aws_credentials(session)
+
+        iam_request_url = f"https://sts.{aws_region}.amazonaws.com/"
+        iam_request_body = "Action=GetCallerIdentity&Version=2011-06-15"
+
+        request_headers = self._prepare_aws_request(
+          iam_request_url,
+          iam_request_body,
+          credentials,
+          aws_region
+        )
+
+        requestBody = {
+          "identityId": identity_id,
+          "iamRequestBody": base64.b64encode(iam_request_body.encode()).decode(),
+          "iamRequestHeaders": base64.b64encode(json.dumps(request_headers).encode()).decode(),
+          "iamHttpRequestMethod": "POST"
+        }
+
+        result = self.requests.post(
+          path="/api/v1/auth/aws-auth/login",
+          json=requestBody,
+          model=MachineIdentityLoginResponse
+        )
+
+        self.setToken(result.data.accessToken)
+
+        return result.data
+
+    def _get_aws_credentials(self, session: boto3.Session) -> Any:
+        try:
+            credentials = session.get_credentials()
+            if credentials is None:
+                raise NoCredentialsError("AWS credentials not found.")
+            return credentials.get_frozen_credentials()
+        except NoCredentialsError as e:
+            raise RuntimeError(f"AWS IAM Auth Login failed: {str(e)}")
+
+    def _prepare_aws_request(
+      self,
+      url: str,
+      body: str,
+      credentials: Any,
+      region: str) -> Dict[str, str]:
+
+        current_time = datetime.datetime.now(datetime.timezone.utc)
+        amz_date = current_time.strftime('%Y%m%dT%H%M%SZ')
+
+        request = AWSRequest(method="POST", url=url, data=body)
+        request.headers["X-Amz-Date"] = amz_date
+        request.headers["Host"] = f"sts.{region}.amazonaws.com"
+        request.headers["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"
+        request.headers["Content-Length"] = str(len(body))
+
+        signer = SigV4Auth(credentials, "sts", region)
+        signer.add_auth(request)
+
+        return {k: v for k, v in request.headers.items() if k.lower() != "content-length"}
+
+    @staticmethod
+    def get_aws_region() -> str:
+        region = os.getenv("AWS_REGION")  # Typically found in lambda runtime environment
+        if region:
+            return region
+
+        try:
+            return AWSAuth._get_aws_ec2_identity_document_region()
+        except Exception as e:
+            raise Exception("Failed to retrieve AWS region") from e
+
+    @staticmethod
+    def _get_aws_ec2_identity_document_region(timeout: int = 5000) -> str:
+        session = requests.Session()
+        token_response = session.put(
+            "http://169.254.169.254/latest/api/token",
+            headers={"X-aws-ec2-metadata-token-ttl-seconds": "21600"},
+            timeout=timeout / 1000
+        )
+        token_response.raise_for_status()
+        metadata_token = token_response.text
+
+        identity_response = session.get(
+            "http://169.254.169.254/latest/dynamic/instance-identity/document",
+            headers={"X-aws-ec2-metadata-token": metadata_token, "Accept": "application/json"},
+            timeout=timeout / 1000
+        )
+
+        identity_response.raise_for_status()
+        return identity_response.json().get("region")

infisicalsdk-1.0.7/infisical_sdk/resources/auth_methods/universal_auth.py

@@ -0,0 +1,35 @@
+from infisical_sdk.api_types import MachineIdentityLoginResponse
+
+from typing import Callable
+from infisical_sdk.infisical_requests import InfisicalRequests
+class UniversalAuth:
+    def __init__(self, requests: InfisicalRequests, setToken: Callable[[str], None]):
+        self.requests = requests
+        self.setToken = setToken
+
+    def login(self, client_id: str, client_secret: str) -> MachineIdentityLoginResponse:
+        """
+        Login with Universal Auth.
+
+        Args:
+            client_id (str): Your Machine Identity Client ID.
+            client_secret (str): Your Machine Identity Client Secret.
+
+        Returns:
+            Dict: A dictionary containing the access token and related information.
+        """
+
+        requestBody = {
+            "clientId": client_id,
+            "clientSecret": client_secret
+        }
+
+        result = self.requests.post(
+          path="/api/v1/auth/universal-auth/login",
+          json=requestBody,
+          model=MachineIdentityLoginResponse
+        )
+
+        self.setToken(result.data.accessToken)
+
+        return result.data

infisicalsdk-1.0.7/infisical_sdk/resources/kms.py

@@ -0,0 +1,177 @@
+from infisical_sdk.api_types import SymmetricEncryption, KmsKeysOrderBy, OrderDirection
+from infisical_sdk.api_types import ListKmsKeysResponse, SingleKmsKeyResponse
+from infisical_sdk.api_types import KmsKey, KmsKeyEncryptDataResponse, KmsKeyDecryptDataResponse
+
+from infisical_sdk.infisical_requests import InfisicalRequests
+
+
+class KMS:
+    def __init__(self, requests: InfisicalRequests) -> None:
+        self.requests = requests
+
+    def list_keys(
+            self,
+            project_id: str,
+            offset: int = 0,
+            limit: int = 100,
+            order_by: KmsKeysOrderBy = KmsKeysOrderBy.NAME,
+            order_direction: OrderDirection = OrderDirection.ASC,
+            search: str = None) -> ListKmsKeysResponse:
+
+        params = {
+            "projectId": project_id,
+            "search": search,
+            "offset": offset,
+            "limit": limit,
+            "orderBy": order_by,
+            "orderDirection": order_direction,
+        }
+
+        result = self.requests.get(
+            path="/api/v1/kms/keys",
+            params=params,
+            model=ListKmsKeysResponse
+        )
+
+        return result.data
+
+    def get_key_by_id(
+            self,
+            key_id: str) -> KmsKey:
+
+        result = self.requests.get(
+            path=f"/api/v1/kms/keys/{key_id}",
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def get_key_by_name(
+            self,
+            key_name: str,
+            project_id: str) -> KmsKey:
+
+        params = {
+            "projectId": project_id,
+        }
+
+        result = self.requests.get(
+            path=f"/api/v1/kms/keys/key-name/{key_name}",
+            params=params,
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def create_key(
+            self,
+            name: str,
+            project_id: str,
+            encryption_algorithm: SymmetricEncryption,
+            description: str = None) -> KmsKey:
+
+        request_body = {
+            "name": name,
+            "projectId": project_id,
+            "encryptionAlgorithm": encryption_algorithm,
+            "description": description,
+        }
+
+        result = self.requests.post(
+            path="/api/v1/kms/keys",
+            json=request_body,
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def update_key(
+            self,
+            key_id: str,
+            name: str = None,
+            is_disabled: bool = None,
+            description: str = None) -> KmsKey:
+
+        request_body = {
+            "name": name,
+            "isDisabled": is_disabled,
+            "description": description,
+        }
+
+        result = self.requests.patch(
+            path=f"/api/v1/kms/keys/{key_id}",
+            json=request_body,
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def delete_key(
+            self,
+            key_id: str) -> KmsKey:
+
+        result = self.requests.delete(
+            path=f"/api/v1/kms/keys/{key_id}",
+            json={},
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def encrypt_data(
+            self,
+            key_id: str,
+            base64EncodedPlaintext: str) -> str:
+        """
+            Encrypt data with the specified KMS key.
+
+            :param key_id: The ID of the key to decrypt the ciphertext with
+            :type key_id: str
+            :param base64EncodedPlaintext: The base64 encoded plaintext to encrypt
+            :type plaintext: str
+
+
+            :return: The encrypted base64 encoded plaintext (ciphertext)
+            :rtype: str
+        """
+
+        request_body = {
+            "plaintext": base64EncodedPlaintext
+        }
+
+        result = self.requests.post(
+            path=f"/api/v1/kms/keys/{key_id}/encrypt",
+            json=request_body,
+            model=KmsKeyEncryptDataResponse
+        )
+
+        return result.data.ciphertext
+
+    def decrypt_data(
+            self,
+            key_id: str,
+            ciphertext: str) -> str:
+        """
+            Decrypt data with the specified KMS key.
+
+            :param key_id: The ID of the key to decrypt the ciphertext with
+            :type key_id: str
+            :param ciphertext: The encrypted base64 plaintext to decrypt
+            :type ciphertext: str
+
+
+            :return: The base64 encoded plaintext
+            :rtype: str
+        """
+
+        request_body = {
+            "ciphertext": ciphertext
+        }
+
+        result = self.requests.post(
+            path=f"/api/v1/kms/keys/{key_id}/decrypt",
+            json=request_body,
+            model=KmsKeyDecryptDataResponse
+        )
+
+        return result.data.plaintext

infisicalsdk-1.0.7/infisical_sdk/resources/secrets.py

@@ -0,0 +1,235 @@
+from typing import List, Union
+
+from infisical_sdk.infisical_requests import InfisicalRequests
+from infisical_sdk.api_types import ListSecretsResponse, SingleSecretResponse, BaseSecret
+from infisical_sdk.util import SecretsCache
+
+CACHE_KEY_LIST_SECRETS = "cache-list-secrets"
+CACHE_KEY_SINGLE_SECRET = "cache-single-secret"
+
+class V3RawSecrets:
+    def __init__(self, requests: InfisicalRequests, cache: SecretsCache) -> None:
+        self.requests = requests
+        self.cache = cache
+
+    def list_secrets(
+            self,
+            project_id: str,
+            environment_slug: str,
+            secret_path: str,
+            expand_secret_references: bool = True,
+            view_secret_value: bool = True,
+            recursive: bool = False,
+            include_imports: bool = True,
+            tag_filters: List[str] = []) -> ListSecretsResponse:
+
+        params = {
+            "workspaceId": project_id,
+            "environment": environment_slug,
+            "secretPath": secret_path,
+            "viewSecretValue": str(view_secret_value).lower(),
+            "expandSecretReferences": str(expand_secret_references).lower(),
+            "recursive": str(recursive).lower(),
+            "include_imports": str(include_imports).lower(),
+        }
+
+        if tag_filters:
+            params["tagSlugs"] = ",".join(tag_filters)
+
+        
+        cache_key = self.cache.compute_cache_key(CACHE_KEY_LIST_SECRETS, **params)
+        if self.cache.enabled:
+          cached_response = self.cache.get(cache_key)
+
+          if cached_response is not None and isinstance(cached_response, ListSecretsResponse):
+            return cached_response
+
+        result = self.requests.get(
+            path="/api/v3/secrets/raw",
+            params=params,
+            model=ListSecretsResponse
+        )
+
+        if self.cache.enabled:
+          self.cache.set(cache_key, result.data)
+
+        return result.data
+
+    def get_secret_by_name(
+            self,
+            secret_name: str,
+            project_id: str,
+            environment_slug: str,
+            secret_path: str,
+            expand_secret_references: bool = True,
+            include_imports: bool = True,
+            view_secret_value: bool = True,
+            version: str = None) -> BaseSecret:
+
+        params = {
+          "workspaceId": project_id,
+          "viewSecretValue": str(view_secret_value).lower(),
+          "environment": environment_slug,
+          "secretPath": secret_path,
+          "expandSecretReferences": str(expand_secret_references).lower(),
+          "include_imports": str(include_imports).lower(),
+          "version": version
+        }
+
+        cache_params = {
+           "project_id": project_id,
+           "environment_slug": environment_slug,
+           "secret_path": secret_path,
+           "secret_name": secret_name,
+        }
+
+        cache_key = self.cache.compute_cache_key(CACHE_KEY_SINGLE_SECRET, **cache_params)
+
+        if self.cache.enabled:
+          cached_response = self.cache.get(cache_key)
+
+          if cached_response is not None and isinstance(cached_response, BaseSecret):
+            return cached_response
+
+        result = self.requests.get(
+            path=f"/api/v3/secrets/raw/{secret_name}",
+            params=params,
+            model=SingleSecretResponse
+        )
+
+        if self.cache.enabled:
+          self.cache.set(cache_key, result.data.secret)
+
+        return result.data.secret
+
+    def create_secret_by_name(
+            self,
+            secret_name: str,
+            project_id: str,
+            secret_path: str,
+            environment_slug: str,
+            secret_value: str = None,
+            secret_comment: str = None,
+            skip_multiline_encoding: bool = False,
+            secret_reminder_repeat_days: Union[float, int] = None,
+            secret_reminder_note: str = None) -> BaseSecret:
+
+        requestBody = {
+          "workspaceId": project_id,
+          "environment": environment_slug,
+          "secretPath": secret_path,
+          "secretValue": secret_value,
+          "secretComment": secret_comment,
+          "tagIds": None,
+          "skipMultilineEncoding": skip_multiline_encoding,
+          "type": "shared",
+          "secretReminderRepeatDays": secret_reminder_repeat_days,
+          "secretReminderNote": secret_reminder_note
+        }
+        result = self.requests.post(
+            path=f"/api/v3/secrets/raw/{secret_name}",
+            json=requestBody,
+            model=SingleSecretResponse
+        )
+
+
+        if self.cache.enabled:
+          cache_params = {
+            "project_id": project_id,
+            "environment_slug": environment_slug,
+            "secret_path": secret_path,
+            "secret_name": secret_name,
+          }
+
+          cache_key = self.cache.compute_cache_key(CACHE_KEY_SINGLE_SECRET, **cache_params)
+          self.cache.set(cache_key, result.data.secret)
+
+          # Invalidates all list secret cache
+          self.cache.invalidate_operation(CACHE_KEY_LIST_SECRETS)
+
+        return result.data.secret
+
+    def update_secret_by_name(
+        self,
+        current_secret_name: str,
+        project_id: str,
+        secret_path: str,
+        environment_slug: str,
+        secret_value: str = None,
+        secret_comment: str = None,
+        skip_multiline_encoding: bool = False,
+        secret_reminder_repeat_days: Union[float, int] = None,
+        secret_reminder_note: str = None,
+        new_secret_name: str = None) -> BaseSecret:
+
+        requestBody = {
+          "workspaceId": project_id,
+          "environment": environment_slug,
+          "secretPath": secret_path,
+          "secretValue": secret_value,
+          "secretComment": secret_comment,
+          "newSecretName": new_secret_name,
+          "tagIds": None,
+          "skipMultilineEncoding": skip_multiline_encoding,
+          "type": "shared",
+          "secretReminderRepeatDays": secret_reminder_repeat_days,
+          "secretReminderNote": secret_reminder_note
+        }
+
+        result = self.requests.patch(
+            path=f"/api/v3/secrets/raw/{current_secret_name}",
+            json=requestBody,
+            model=SingleSecretResponse
+        )
+
+        if self.cache.enabled:
+           cache_params = {
+            "project_id": project_id,
+            "environment_slug": environment_slug,
+            "secret_path": secret_path,
+            "secret_name": current_secret_name,
+           }
+
+           cache_key = self.cache.compute_cache_key(CACHE_KEY_SINGLE_SECRET, **cache_params)
+           self.cache.unset(cache_key)
+
+           # Invalidates all list secret cache
+           self.cache.invalidate_operation(CACHE_KEY_LIST_SECRETS)
+
+        return result.data.secret
+
+    def delete_secret_by_name(
+            self,
+            secret_name: str,
+            project_id: str,
+            secret_path: str,
+            environment_slug: str) -> BaseSecret:
+
+        requestBody = {
+          "workspaceId": project_id,
+          "environment": environment_slug,
+          "secretPath": secret_path,
+          "type": "shared",
+        }
+
+        result = self.requests.delete(
+            path=f"/api/v3/secrets/raw/{secret_name}",
+            json=requestBody,
+            model=SingleSecretResponse
+        )
+
+        if self.cache.enabled:
+          cache_params = {
+            "project_id": project_id,
+            "environment_slug": environment_slug,
+            "secret_path": secret_path,
+            "secret_name": secret_name,
+          }
+
+          cache_key = self.cache.compute_cache_key(CACHE_KEY_SINGLE_SECRET, **cache_params)
+          self.cache.unset(cache_key)
+
+          # Invalidates all list secret cache
+          self.cache.invalidate_operation(CACHE_KEY_LIST_SECRETS)
+
+        return result.data.secret

infisicalsdk-1.0.7/infisical_sdk/util/__init__.py

@@ -0,0 +1 @@
+from .secrets_cache import SecretsCache