Minor fixes, some refactoring

.pylintrc

@@ -422,41 +422,13 @@ confidence=HIGH,
 # no Warning level messages displayed, use "--disable=all --enable=classes
 # --disable=W".
 disable=R,
-  locally-disabled,
-  file-ignored,
-  unexpected-special-method-signature,
-  import-error,
-  no-member,
-  unsubscriptable-object,
-  blacklisted-name,
-  invalid-name,
-  missing-docstring,
-  empty-docstring,
-  unidiomatic-typecheck,
-  wrong-import-order,
-  ungrouped-imports,
-  wrong-import-position,
-  bad-mcs-method-argument,
-  bad-mcs-classmethod-argument,
-  line-too-long,
-  too-many-lines,
-  bad-continuation,
-  exec-used,
-  attribute-defined-outside-init,
-  protected-access,
-  reimported,
   fixme,
-  global-statement,
-  redefined-outer-name,
-  redefined-builtin,
-  undefined-loop-variable,
-  logging-format-interpolation,
-  invalid-format-index,
   line-too-long,
-  import-outside-toplevel,
-  deprecated-method,
-  keyword-arg-before-vararg,
+  protected-access,
+  ungrouped-imports,
+  missing-docstring,
   logging-fstring-interpolation,
+  wrong-import-position,
 
 # Enable the message, report, category or checker with the given id(s). You can
 # either give multiple identifier separated by comma (,) or put this option

changelog/77.fixed.md

@@ -0,0 +1 @@
+Fixed vault.update_config crash

changelog/78.changed.md

@@ -0,0 +1 @@
+Required x509_v2 modules to be available for specific parameters to `vault_pki`, dropped direct dependency on cryptography

pyproject.toml

@@ -38,7 +38,6 @@ requires-python = ">= 3.8"
 dynamic = ["version"]
 dependencies = [
     "salt>=3006",
-    "cryptography>=36",
 ]
 
 [project.readme]
@@ -81,6 +80,7 @@ tests = [
     "pytest-salt-factories>=1.0.0; sys_platform == 'win32'",
     "pytest-salt-factories[docker]>=1.0.0; sys_platform != 'win32'",
     "pytest-timeout",
+    "cryptography>=36",
 ]
 
 [project.entry-points."salt.loader"]

src/saltext/vault/beacons/vault_lease.py

@@ -114,7 +114,7 @@
 import salt.utils.beacons
 import salt.utils.dictupdate as dup
 
-import saltext.vault.utils.vault as vault
+from saltext.vault.utils import vault
 from saltext.vault.utils.vault.helpers import timestring_map
 
 log = logging.getLogger(__name__)

src/saltext/vault/modules/vault.py

@@ -12,7 +12,7 @@
 from salt.exceptions import SaltException
 from salt.exceptions import SaltInvocationError
 
-import saltext.vault.utils.vault as vault
+from saltext.vault.utils import vault
 from saltext.vault.utils.versions import warn_until
 
 log = logging.getLogger(__name__)

src/saltext/vault/modules/vault_db.py

@@ -16,8 +16,8 @@
 from salt.exceptions import CommandExecutionError
 from salt.exceptions import SaltInvocationError
 
-import saltext.vault.utils.vault as vault
-import saltext.vault.utils.vault.db as vaultdb
+from saltext.vault.utils import vault
+from saltext.vault.utils.vault import db as vaultdb
 
 log = logging.getLogger(__name__)
 

src/saltext/vault/modules/vault_pki.py

@@ -12,18 +12,10 @@
 import logging
 from typing import Tuple
 
-try:
-    import salt.utils.x509 as x509util
-    from cryptography.hazmat.primitives import serialization
-
-    HAS_CRYPTOGRAPHY = True
-except ImportError:
-    HAS_CRYPTOGRAPHY = False
-
 from salt.exceptions import CommandExecutionError
 from salt.exceptions import SaltInvocationError
 
-import saltext.vault.utils.vault as vault
+from saltext.vault.utils import vault
 from saltext.vault.utils.vault.pki import dec2hex
 
 log = logging.getLogger(__name__)
@@ -32,8 +24,6 @@
 
 
 def __virtual__():
-    if not HAS_CRYPTOGRAPHY:
-        return (False, "Could not load cryptography")
     return __virtualname__
 
 
@@ -62,20 +52,6 @@ def __virtual__():
     "tlsfeature",
 )
 
-DIGEST_HASHES = (
-    "SHA1",
-    "SHA224",
-    "SHA256",
-    "SHA384",
-    "SHA512",
-    "SHA512_224",
-    "SHA512_256",
-    "SHA3_224",
-    "SHA3_256",
-    "SHA3_384",
-    "SHA3_512",
-)
-
 
 def list_roles(mount="pki"):
     """
@@ -508,7 +484,7 @@ def set_default_issuer(name, mount="pki"):
 def generate_root(
     common_name,
     mount="pki",
-    type="internal",
+    type="internal",  # pylint: disable=redefined-builtin
     issuer_name=None,
     key_name=None,
     ttl=None,
@@ -814,7 +790,7 @@ def issue_certificate(
     issuer_ref=None,
     alt_names=None,
     ttl=None,
-    format="pem",
+    format="pem",  # pylint: disable=redefined-builtin
     exclude_cn_from_sans=False,
     **kwargs,
 ):
@@ -929,6 +905,9 @@ def sign_certificate(
         The private key for which certificate should be issued. Can be text or path.
         Either ``csr`` or ``private_key`` parameter can be set, not both.
 
+        .. note::
+            This parameter requires the :py:mod:`x509_v2 execution module <salt.modules.x509_v2>` to be available.
+
     private_key_passphrase
         The passphrase for the ``private_key`` if encrypted. Not used in case of ``csr``.
 
@@ -1007,7 +986,7 @@ def sign_certificate(
 
         csr_args["CN"] = common_name
 
-        csr = _build_csr(
+        csr = __salt__["x509.create_csr"](
             private_key=private_key,
             private_key_passphrase=private_key_passphrase,
             digest=digest,
@@ -1040,6 +1019,9 @@ def revoke_certificate(serial=None, certificate=None, mount="pki"):
     certificate
         Specifies the certificate (PEM or path) to revoke. Either ``serial`` or ``certificate`` must be specified.
 
+        .. note::
+            This parameter requires the :py:mod:`x509_v2 execution module <salt.modules.x509_v2>` to be available.
+
     mount
         The mount path the PKI backend is mounted to. Defaults to ``pki``.
     """
@@ -1054,10 +1036,9 @@ def revoke_certificate(serial=None, certificate=None, mount="pki"):
 
     try:
         if certificate is not None:
-            certificate = x509util.load_cert(certificate)
-            cert_encoding = getattr(serialization.Encoding, "PEM")
-            cert_bytes = certificate.public_bytes(cert_encoding)
-            payload["certificate"] = cert_bytes.decode()
+            payload["certificate"] = __salt__["x509.encode_certificate"](
+                certificate, encoding="pem"
+            )
         elif serial is not None:
             if isinstance(serial, int):
                 serial = dec2hex(serial)
@@ -1122,30 +1103,6 @@ def _split_sans(sans) -> Tuple[list, list, list, list]:
     return dns_sans, ip_sans, uri_sans, other_sans
 
 
-def _build_csr(private_key, private_key_passphrase=None, digest="sha256", **kwargs):
-    if digest.upper() not in DIGEST_HASHES:
-        raise CommandExecutionError(
-            f"Invalid value '{digest}' for digest. Valid: {','.join(DIGEST_HASHES)}"
-        )
-
-    builder, key = x509util.build_csr(
-        private_key=private_key, private_key_passphrase=private_key_passphrase, **kwargs
-    )
-    algorithm = None
-    if x509util.get_key_type(key) not in [
-        x509util.KEY_TYPE.ED25519,
-        x509util.KEY_TYPE.ED448,
-    ]:
-        algorithm = x509util.get_hashing_algorithm(digest)
-
-    csr = builder.sign(key, algorithm=algorithm)
-    csr = x509util.load_csr(csr)
-    csr_bytes = csr.public_bytes(serialization.Encoding.PEM)
-    csr = csr_bytes.decode()
-
-    return csr
-
-
 def _split_csr_kwargs(kwargs):
     csr_args = {}
     extra_args = {}

src/saltext/vault/pillar/vault.py

@@ -95,8 +95,8 @@
 from salt.exceptions import InvalidConfigError
 from salt.exceptions import SaltException
 
-import saltext.vault.utils.vault as vault
-import saltext.vault.utils.vault.helpers as vhelpers
+from saltext.vault.utils import vault
+from saltext.vault.utils.vault import helpers
 from saltext.vault.utils.versions import warn_until
 
 log = logging.getLogger(__name__)
@@ -202,7 +202,7 @@ def _get_paths(path_pattern, minion_id, pillar):
 
     paths = []
     try:
-        for expanded_pattern in vhelpers.expand_pattern_lists(path_pattern, **mappings):
+        for expanded_pattern in helpers.expand_pattern_lists(path_pattern, **mappings):
             paths.append(expanded_pattern.format(**mappings))
     except KeyError:
         log.warning("Could not resolve pillar path pattern %s", path_pattern)

src/saltext/vault/runners/vault.py

@@ -23,10 +23,10 @@
 from salt.exceptions import SaltInvocationError
 from salt.exceptions import SaltRunnerError
 
-import saltext.vault.utils.vault as vault
-import saltext.vault.utils.vault.cache as vcache
-import saltext.vault.utils.vault.factory as vfactory
-import saltext.vault.utils.vault.helpers as vhelpers
+from saltext.vault.utils import vault
+from saltext.vault.utils.vault import cache as vcache
+from saltext.vault.utils.vault import factory
+from saltext.vault.utils.vault import helpers
 from saltext.vault.utils.versions import warn_until
 
 log = logging.getLogger(__name__)
@@ -410,7 +410,7 @@ def _get_role_id(minion_id, issue_params, wrap):
     issue_params_parsed = _parse_issue_params(issue_params)
 
     if approle is False or (
-        vhelpers._get_salt_run_type(__opts__) != vhelpers.SALT_RUNTYPE_MASTER_IMPERSONATING
+        helpers._get_salt_run_type(__opts__) != helpers.SALT_RUNTYPE_MASTER_IMPERSONATING
         and not _approle_params_match(approle, issue_params_parsed)
     ):
         # This means the role has to be created/updated first
@@ -492,9 +492,9 @@ def generate_secret_id(minion_id, signature, impersonated_by_master=False, issue
         if approle_meta is False:
             raise vault.VaultNotFoundError(f"No AppRole found for minion {minion_id}.")
 
-        if vhelpers._get_salt_run_type(
+        if helpers._get_salt_run_type(
             __opts__
-        ) != vhelpers.SALT_RUNTYPE_MASTER_IMPERSONATING and not _approle_params_match(
+        ) != helpers.SALT_RUNTYPE_MASTER_IMPERSONATING and not _approle_params_match(
             approle_meta, issue_params
         ):
             _manage_approle(minion_id, issue_params)
@@ -871,7 +871,7 @@ def clear_cache(master=True, minions=True):
         Defaults to true. Set this to a list of minion IDs to only clear
         cached data pertaining to thse minions.
     """
-    config, _, _ = vfactory._get_connection_config("vault", __opts__, __context__, force_local=True)
+    config, _, _ = factory._get_connection_config("vault", __opts__, __context__, force_local=True)
     cache = vcache._get_cache_backend(config, __opts__)
 
     if cache is None:
@@ -937,7 +937,7 @@ def _get_policies(minion_id, refresh_pillar=None, **kwargs):  # pylint: disable=
     policies = []
     for pattern in _config("policies:assign"):
         try:
-            for expanded_pattern in vhelpers.expand_pattern_lists(pattern, **mappings):
+            for expanded_pattern in helpers.expand_pattern_lists(pattern, **mappings):
                 policies.append(expanded_pattern.format(**mappings).lower())  # Vault requirement
         except KeyError:
             log.warning("Could not resolve policy pattern %s for minion %s", pattern, minion_id)
@@ -1027,7 +1027,7 @@ def _get_metadata(minion_id, metadata_patterns, refresh_pillar=None):
     for key, pattern in metadata_patterns.items():
         metadata[key] = []
         try:
-            for expanded_pattern in vhelpers.expand_pattern_lists(pattern, **mappings):
+            for expanded_pattern in helpers.expand_pattern_lists(pattern, **mappings):
                 metadata[key].append(expanded_pattern.format(**mappings))
         except KeyError:
             log.warning(
@@ -1197,11 +1197,11 @@ def _manage_entity_alias(minion_id):
 
 
 def _get_approle_api():
-    return vfactory.get_approle_api(__opts__, __context__, force_local=True)
+    return vault.get_approle_api(__opts__, __context__, force_local=True)
 
 
 def _get_identity_api():
-    return vfactory.get_identity_api(__opts__, __context__, force_local=True)
+    return vault.get_identity_api(__opts__, __context__, force_local=True)
 
 
 def _get_master_client():

src/saltext/vault/sdb/vault.py

@@ -49,7 +49,7 @@
 
 import salt.exceptions
 
-import saltext.vault.utils.vault as vault
+from saltext.vault.utils import vault
 from saltext.vault.utils.versions import warn_until
 
 log = logging.getLogger(__name__)

src/saltext/vault/states/vault_db.py

@@ -14,7 +14,7 @@
 from salt.exceptions import CommandExecutionError
 from salt.exceptions import SaltInvocationError
 
-import saltext.vault.utils.vault.db as vaultdb
+from saltext.vault.utils.vault import db as vaultdb
 from saltext.vault.utils.vault.helpers import timestring_map
 
 log = logging.getLogger(__name__)

src/saltext/vault/states/vault_pki.py

@@ -12,19 +12,20 @@
 import os
 
 import salt.utils.files
+from salt.exceptions import CommandExecutionError
+from salt.exceptions import SaltInvocationError
+
+from saltext.vault.utils.vault.helpers import filter_state_internal_kwargs
+from saltext.vault.utils.vault.helpers import timestring_map
+from saltext.vault.utils.vault.pki import check_cert_for_changes
 
 try:
     import salt.utils.x509 as x509util
 
     HAS_CRYPTOGRAPHY = True
 except ImportError:
     HAS_CRYPTOGRAPHY = False
-from salt.exceptions import CommandExecutionError
-from salt.exceptions import SaltInvocationError
 
-from saltext.vault.utils.vault.helpers import filter_state_internal_kwargs
-from saltext.vault.utils.vault.helpers import timestring_map
-from saltext.vault.utils.vault.pki import check_cert_for_changes
 
 log = logging.getLogger(__name__)
 

src/saltext/vault/utils/vault/__init__.py

@@ -21,10 +21,13 @@
 from saltext.vault.utils.vault.exceptions import VaultUnsupportedOperationError
 from saltext.vault.utils.vault.exceptions import VaultUnwrapException
 from saltext.vault.utils.vault.factory import clear_cache
+from saltext.vault.utils.vault.factory import get_approle_api
 from saltext.vault.utils.vault.factory import get_authd_client
+from saltext.vault.utils.vault.factory import get_identity_api
 from saltext.vault.utils.vault.factory import get_kv
 from saltext.vault.utils.vault.factory import get_lease_store
 from saltext.vault.utils.vault.factory import parse_config
+from saltext.vault.utils.vault.factory import update_config
 from saltext.vault.utils.vault.leases import VaultLease
 from saltext.vault.utils.vault.leases import VaultSecretId
 from saltext.vault.utils.vault.leases import VaultToken