infisicalsdk 1.0.6__tar.gz → 1.0.8__tar.gz

{infisicalsdk-1.0.6 → infisicalsdk-1.0.8}/PKG-INFO

@@ -1,6 +1,6 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: infisicalsdk
-Version: 1.0.6
+Version: 1.0.8
 Summary: Infisical API Client
 Home-page: https://github.com/Infisical/python-sdk-official
 Author: Infisical

{infisicalsdk-1.0.6 → infisicalsdk-1.0.8}/README.md

@@ -45,12 +45,29 @@ client.auth.universal_auth.login(
 secrets = client.secrets.list_secrets(project_id="<project-id>", environment_slug="dev", secret_path="/")
 ```
 
+## InfisicalSDKClient Parameters
+
+The `InfisicalSDKClient` takes the following parameters, which are used as a global configuration for the lifetime of the SDK instance.
+
+- **host** (`str`, _Optional_): The host URL for your Infisical instance. Defaults to `https://app.infisical.com`.
+- **token** (`str`, _Optional_): Specify an authentication token to use for all requests. If provided, you will not need to call any of the `auth` methods. Defaults to `None`
+- **cache_ttl** (`int`, _Optional_): The SDK has built-in client-side caching for secrets, greatly improving response times. By default, secrets are cached for 1 minute (60 seconds). You can disable caching by setting `cache_ttl` to `None`, or adjust the duration in seconds as needed.
+
+```python
+client = InfisicalSDKClient(
+  host="https://app.infisical.com", # Defaults to https://app.infisical.com
+  token="<optional-auth-token>", # If not set, use the client.auth() methods.
+  cache_ttl = 300 # `None` to disable caching
+)
+```
+
 ## Core Methods
 
 The SDK methods are organized into the following high-level categories:
 
 1. `auth`: Handles authentication methods.
 2. `secrets`: Manages CRUD operations for secrets.
+3. `kms`: Perform cryptographic operations with Infisical KMS.
 
 ### `auth`
 

{infisicalsdk-1.0.6 → infisicalsdk-1.0.8}/infisical_sdk/__init__.py

@@ -1,3 +1,3 @@
 from .client import InfisicalSDKClient # noqa
 from .infisical_requests import InfisicalError # noqa
-from .api_types import SingleSecretResponse, ListSecretsResponse, BaseSecret # noqa
+from .api_types import SingleSecretResponse, ListSecretsResponse, BaseSecret, SymmetricEncryption # noqa

infisicalsdk-1.0.8/infisical_sdk/client.py

@@ -0,0 +1,40 @@
+from .infisical_requests import InfisicalRequests
+
+from infisical_sdk.resources import Auth
+from infisical_sdk.resources import V3RawSecrets
+from infisical_sdk.resources import KMS
+
+from infisical_sdk.util import SecretsCache
+
+class InfisicalSDKClient:
+    def __init__(self, host: str, token: str = None, cache_ttl: int = 60):
+        """
+        Initialize the Infisical SDK client.
+
+        :param str host: The host URL for your Infisical instance. Will default to `https://app.infisical.com` if not specified.
+        :param str token: The authentication token for the client. If not specified, you can use the `auth` methods to authenticate.
+        :param int cache_ttl: The time to live for the secrets cache. This is the number of seconds that secrets fetched from the API will be cached for. Set to `None` to disable caching. Defaults to `60` seconds.
+        """
+        
+        self.host = host
+        self.access_token = token
+
+        self.api = InfisicalRequests(host=host, token=token)
+        self.cache = SecretsCache(cache_ttl)
+        self.auth = Auth(self.api, self.set_token)
+        self.secrets = V3RawSecrets(self.api, self.cache)
+        self.kms = KMS(self.api)
+
+    def set_token(self, token: str):
+        """
+        Set the access token for future requests.
+        """
+        self.api.set_token(token)
+        self.access_token = token
+
+    def get_token(self):
+        """
+        Set the access token for future requests.
+        """
+        return self.access_token
+

{infisicalsdk-1.0.6 → infisicalsdk-1.0.8}/infisical_sdk/infisical_requests.py

@@ -1,9 +1,27 @@
-from typing import Any, Dict, Generic, Optional, TypeVar, Type
+from typing import Any, Dict, Generic, Optional, TypeVar, Type, Callable, List
+import socket
 import requests
+import functools
 from dataclasses import dataclass
+import time
+import random
 
 T = TypeVar("T")
 
+# List of network-related exceptions that should trigger retries
+NETWORK_ERRORS = [
+    requests.exceptions.ConnectionError,
+    requests.exceptions.ChunkedEncodingError,
+    requests.exceptions.ReadTimeout,
+    requests.exceptions.ConnectTimeout,
+    socket.gaierror,
+    socket.timeout,
+    ConnectionResetError,
+    ConnectionRefusedError,
+    ConnectionError,
+    ConnectionAbortedError,
+]
+
 def join_url(base: str, path: str) -> str:
     """
     Join base URL and path properly, handling slashes appropriately.
@@ -49,6 +67,42 @@ class APIResponse(Generic[T]):
             headers=data['headers']
         )
 
+def with_retry(
+    max_retries: int = 3, 
+    base_delay: float = 1.0, 
+    network_errors: Optional[List[Type[Exception]]] = None
+) -> Callable:
+    """
+    Decorator to add retry logic with exponential backoff to requests methods.
+    """
+    if network_errors is None:
+        network_errors = NETWORK_ERRORS
+        
+    def decorator(func: Callable) -> Callable:
+        @functools.wraps(func)
+        def wrapper(*args, **kwargs):
+            retry_count = 0
+            
+            while True:
+                try:
+                    return func(*args, **kwargs)
+                except tuple(network_errors) as error:
+                    retry_count += 1
+                    if retry_count > max_retries:
+                        raise
+                    
+                    base_delay_with_backoff = base_delay * (2 ** (retry_count - 1))
+                    
+                    # +/-20% jitter
+                    jitter = random.uniform(-0.2, 0.2) * base_delay_with_backoff
+                    delay = base_delay_with_backoff + jitter
+                    
+                    time.sleep(delay)
+        
+        return wrapper
+    
+    return decorator
+
 
 class InfisicalRequests:
     def __init__(self, host: str, token: Optional[str] = None):
@@ -93,6 +147,7 @@ class InfisicalRequests:
         except ValueError:
             raise InfisicalError("Invalid JSON response")
 
+    @with_retry(max_retries=4, base_delay=1.0)
     def get(
             self,
             path: str,
@@ -119,6 +174,7 @@ class InfisicalRequests:
             headers=dict(response.headers)
         )
 
+    @with_retry(max_retries=4, base_delay=1.0)
     def post(
             self,
             path: str,
@@ -143,6 +199,7 @@ class InfisicalRequests:
             headers=dict(response.headers)
         )
 
+    @with_retry(max_retries=4, base_delay=1.0)
     def patch(
             self,
             path: str,
@@ -167,6 +224,7 @@ class InfisicalRequests:
             headers=dict(response.headers)
         )
 
+    @with_retry(max_retries=4, base_delay=1.0)
     def delete(
             self,
             path: str,

infisicalsdk-1.0.8/infisical_sdk/resources/__init__.py

@@ -0,0 +1,3 @@
+from .secrets import V3RawSecrets
+from .kms import KMS
+from .auth import Auth

infisicalsdk-1.0.8/infisical_sdk/resources/auth.py

@@ -0,0 +1,10 @@
+from infisical_sdk.infisical_requests import InfisicalRequests
+from infisical_sdk.resources.auth_methods import AWSAuth
+from infisical_sdk.resources.auth_methods import UniversalAuth
+
+from typing import Callable
+class Auth:
+    def __init__(self, requests: InfisicalRequests, setToken: Callable[[str], None]):
+        self.requests = requests
+        self.aws_auth = AWSAuth(requests, setToken)
+        self.universal_auth = UniversalAuth(requests, setToken)

infisicalsdk-1.0.8/infisical_sdk/resources/auth_methods/__init__.py

@@ -0,0 +1,2 @@
+from .aws_auth import AWSAuth
+from .universal_auth import UniversalAuth

infisicalsdk-1.0.8/infisical_sdk/resources/auth_methods/aws_auth.py

@@ -0,0 +1,134 @@
+from botocore.auth import SigV4Auth
+from botocore.awsrequest import AWSRequest
+from botocore.exceptions import NoCredentialsError
+
+from infisical_sdk.infisical_requests import InfisicalRequests
+from infisical_sdk.api_types import MachineIdentityLoginResponse
+
+from typing import Callable
+
+import requests
+import boto3
+import base64
+import json
+import os
+import datetime
+
+from typing import Dict, Any
+
+
+class AWSAuth:
+    def __init__(self, requests: InfisicalRequests, setToken: Callable[[str], None]) -> None:
+        self.requests = requests
+        self.setToken = setToken
+
+    def login(self, identity_id: str) -> MachineIdentityLoginResponse:
+        """
+        Login with AWS Authentication.
+
+        Args:
+            identity_id (str): Your Machine Identity ID that has AWS Auth configured.
+
+        Returns:
+            Dict: A dictionary containing the access token and related information.
+        """
+
+        identity_id = identity_id or os.getenv("INFISICAL_AWS_IAM_AUTH_IDENTITY_ID")
+        if not identity_id:
+            raise ValueError(
+              "Identity ID must be provided or set in the environment variable" +
+              "INFISICAL_AWS_IAM_AUTH_IDENTITY_ID."
+            )
+
+        aws_region = self.get_aws_region()
+        session = boto3.Session(region_name=aws_region)
+
+        credentials = self._get_aws_credentials(session)
+
+        iam_request_url = f"https://sts.{aws_region}.amazonaws.com/"
+        iam_request_body = "Action=GetCallerIdentity&Version=2011-06-15"
+
+        request_headers = self._prepare_aws_request(
+          iam_request_url,
+          iam_request_body,
+          credentials,
+          aws_region
+        )
+
+        requestBody = {
+          "identityId": identity_id,
+          "iamRequestBody": base64.b64encode(iam_request_body.encode()).decode(),
+          "iamRequestHeaders": base64.b64encode(json.dumps(request_headers).encode()).decode(),
+          "iamHttpRequestMethod": "POST"
+        }
+
+        result = self.requests.post(
+          path="/api/v1/auth/aws-auth/login",
+          json=requestBody,
+          model=MachineIdentityLoginResponse
+        )
+
+        self.setToken(result.data.accessToken)
+
+        return result.data
+
+    def _get_aws_credentials(self, session: boto3.Session) -> Any:
+        try:
+            credentials = session.get_credentials()
+            if credentials is None:
+                raise NoCredentialsError("AWS credentials not found.")
+            return credentials.get_frozen_credentials()
+        except NoCredentialsError as e:
+            raise RuntimeError(f"AWS IAM Auth Login failed: {str(e)}")
+
+    def _prepare_aws_request(
+      self,
+      url: str,
+      body: str,
+      credentials: Any,
+      region: str) -> Dict[str, str]:
+
+        current_time = datetime.datetime.now(datetime.timezone.utc)
+        amz_date = current_time.strftime('%Y%m%dT%H%M%SZ')
+
+        request = AWSRequest(method="POST", url=url, data=body)
+        request.headers["X-Amz-Date"] = amz_date
+        request.headers["Host"] = f"sts.{region}.amazonaws.com"
+        request.headers["Content-Type"] = "application/x-www-form-urlencoded; charset=utf-8"
+        request.headers["Content-Length"] = str(len(body))
+
+        signer = SigV4Auth(credentials, "sts", region)
+        signer.add_auth(request)
+
+        return {k: v for k, v in request.headers.items() if k.lower() != "content-length"}
+
+    @staticmethod
+    def get_aws_region() -> str:
+        region = os.getenv("AWS_REGION")  # Typically found in lambda runtime environment
+        if region:
+            return region
+
+        try:
+            return AWSAuth._get_aws_ec2_identity_document_region()
+        except Exception as e:
+            raise Exception("Failed to retrieve AWS region") from e
+
+    @staticmethod
+    def _get_aws_ec2_identity_document_region(timeout: int = 5000) -> str:
+        session = requests.Session()
+        token_response = session.put(
+            "http://169.254.169.254/latest/api/token",
+            headers={"X-aws-ec2-metadata-token-ttl-seconds": "21600"},
+            timeout=timeout / 1000
+        )
+        token_response.raise_for_status()
+        metadata_token = token_response.text
+
+        identity_response = session.get(
+            "http://169.254.169.254/latest/dynamic/instance-identity/document",
+            headers={"X-aws-ec2-metadata-token": metadata_token, "Accept": "application/json"},
+            timeout=timeout / 1000
+        )
+
+        identity_response.raise_for_status()
+        return identity_response.json().get("region")

infisicalsdk-1.0.8/infisical_sdk/resources/auth_methods/universal_auth.py

@@ -0,0 +1,35 @@
+from infisical_sdk.api_types import MachineIdentityLoginResponse
+
+from typing import Callable
+from infisical_sdk.infisical_requests import InfisicalRequests
+class UniversalAuth:
+    def __init__(self, requests: InfisicalRequests, setToken: Callable[[str], None]):
+        self.requests = requests
+        self.setToken = setToken
+
+    def login(self, client_id: str, client_secret: str) -> MachineIdentityLoginResponse:
+        """
+        Login with Universal Auth.
+
+        Args:
+            client_id (str): Your Machine Identity Client ID.
+            client_secret (str): Your Machine Identity Client Secret.
+
+        Returns:
+            Dict: A dictionary containing the access token and related information.
+        """
+
+        requestBody = {
+            "clientId": client_id,
+            "clientSecret": client_secret
+        }
+
+        result = self.requests.post(
+          path="/api/v1/auth/universal-auth/login",
+          json=requestBody,
+          model=MachineIdentityLoginResponse
+        )
+
+        self.setToken(result.data.accessToken)
+
+        return result.data

infisicalsdk-1.0.8/infisical_sdk/resources/kms.py

@@ -0,0 +1,177 @@
+from infisical_sdk.api_types import SymmetricEncryption, KmsKeysOrderBy, OrderDirection
+from infisical_sdk.api_types import ListKmsKeysResponse, SingleKmsKeyResponse
+from infisical_sdk.api_types import KmsKey, KmsKeyEncryptDataResponse, KmsKeyDecryptDataResponse
+
+from infisical_sdk.infisical_requests import InfisicalRequests
+
+
+class KMS:
+    def __init__(self, requests: InfisicalRequests) -> None:
+        self.requests = requests
+
+    def list_keys(
+            self,
+            project_id: str,
+            offset: int = 0,
+            limit: int = 100,
+            order_by: KmsKeysOrderBy = KmsKeysOrderBy.NAME,
+            order_direction: OrderDirection = OrderDirection.ASC,
+            search: str = None) -> ListKmsKeysResponse:
+
+        params = {
+            "projectId": project_id,
+            "search": search,
+            "offset": offset,
+            "limit": limit,
+            "orderBy": order_by,
+            "orderDirection": order_direction,
+        }
+
+        result = self.requests.get(
+            path="/api/v1/kms/keys",
+            params=params,
+            model=ListKmsKeysResponse
+        )
+
+        return result.data
+
+    def get_key_by_id(
+            self,
+            key_id: str) -> KmsKey:
+
+        result = self.requests.get(
+            path=f"/api/v1/kms/keys/{key_id}",
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def get_key_by_name(
+            self,
+            key_name: str,
+            project_id: str) -> KmsKey:
+
+        params = {
+            "projectId": project_id,
+        }
+
+        result = self.requests.get(
+            path=f"/api/v1/kms/keys/key-name/{key_name}",
+            params=params,
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def create_key(
+            self,
+            name: str,
+            project_id: str,
+            encryption_algorithm: SymmetricEncryption,
+            description: str = None) -> KmsKey:
+
+        request_body = {
+            "name": name,
+            "projectId": project_id,
+            "encryptionAlgorithm": encryption_algorithm,
+            "description": description,
+        }
+
+        result = self.requests.post(
+            path="/api/v1/kms/keys",
+            json=request_body,
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def update_key(
+            self,
+            key_id: str,
+            name: str = None,
+            is_disabled: bool = None,
+            description: str = None) -> KmsKey:
+
+        request_body = {
+            "name": name,
+            "isDisabled": is_disabled,
+            "description": description,
+        }
+
+        result = self.requests.patch(
+            path=f"/api/v1/kms/keys/{key_id}",
+            json=request_body,
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def delete_key(
+            self,
+            key_id: str) -> KmsKey:
+
+        result = self.requests.delete(
+            path=f"/api/v1/kms/keys/{key_id}",
+            json={},
+            model=SingleKmsKeyResponse
+        )
+
+        return result.data.key
+
+    def encrypt_data(
+            self,
+            key_id: str,
+            base64EncodedPlaintext: str) -> str:
+        """
+            Encrypt data with the specified KMS key.
+
+            :param key_id: The ID of the key to decrypt the ciphertext with
+            :type key_id: str
+            :param base64EncodedPlaintext: The base64 encoded plaintext to encrypt
+            :type plaintext: str
+
+
+            :return: The encrypted base64 encoded plaintext (ciphertext)
+            :rtype: str
+        """
+
+        request_body = {
+            "plaintext": base64EncodedPlaintext
+        }
+
+        result = self.requests.post(
+            path=f"/api/v1/kms/keys/{key_id}/encrypt",
+            json=request_body,
+            model=KmsKeyEncryptDataResponse
+        )
+
+        return result.data.ciphertext
+
+    def decrypt_data(
+            self,
+            key_id: str,
+            ciphertext: str) -> str:
+        """
+            Decrypt data with the specified KMS key.
+
+            :param key_id: The ID of the key to decrypt the ciphertext with
+            :type key_id: str
+            :param ciphertext: The encrypted base64 plaintext to decrypt
+            :type ciphertext: str
+
+
+            :return: The base64 encoded plaintext
+            :rtype: str
+        """
+
+        request_body = {
+            "ciphertext": ciphertext
+        }
+
+        result = self.requests.post(
+            path=f"/api/v1/kms/keys/{key_id}/decrypt",
+            json=request_body,
+            model=KmsKeyDecryptDataResponse
+        )
+
+        return result.data.plaintext