Previous topic

Api documentation

Next topic

SFLvaultClient object

This Page

SFLvaultClient object

This is was is called when you run sflvault connect s#1 or other sflvault ... commands.

It wraps all the functionality of querying the remote vault, decrypting and displaying the results.

class sflvault.client.SFLvaultClient(config, shell=False)

This is the main SFLvault Client object.

It is used to script some access to the vault, to retrieve data, to store data, or to create a GUI interface on the top of it.

Whether you want to access a local or remote Vault server, this is the object you need.

Set up initial configuration for function calls

  • config – Configuration filename to use.
  • shell – if True, the private key will be cached for a while, not asking your password for each query to the vault.
connect(vid, with_show=False, command_line='')

Connect to a distant machine (using SSH for now)


Get information to be edited


List customers in the vault and possibly corresponding to the needed id

Keywords arguments:
customer_id – Id of the needed customer to list
Returns a list of dicts:
[{‘id’: ‘%d’,’name’: ‘blah’}]
customer_put(customer_id, data)

Save the (potentially modified) customer to the Vault


Add a named group to the Vault. Return the group id.

group_del(group_id, delete_cascade=False)

Remove a group from the Vault, making sure no services are left behind.


Get information to be edited


Simply list the available groups

group_put(group_id, data)

Save the (potentially modified) Group to the Vault

machine_add(customer_id, name='', fqdn='', ip='', location='', notes='')

Add a machine to the database.


Get information to be edited

machine_put(machine_id, data)

Save the (potentially modified) machine to the Vault

search(query, filters=None, verbose=True)

Search the database for query terms.


query: list of REGEXPs to be matched.

filters: dict with keys in [‘groups’, ‘machines’, ‘customers’] that limits the records returned to those matching those constraints. The values can be either int or str (representing an int).

verbose (bool): shows the notes and location attributes for services and machines.

Hierarchical view of the results.
service_add(machine_id, parent_service_id, url, group_ids, secret, notes='', metadata=None)

Add a service to the Vault’s database.


machine_id: A m#id machine identifier.

parent_service_id: A s#id, parent service ID, to which you should connect before connecting to the service you’re adding. Specify 0 or None if no parent exist. If you set this, machine_id is disregarded.

url: URL of the service, with username, port and path if required

group_ids: Multiple group IDs the service is part of. See list-groups

notes: Simple text field, with notes.

secret: Password for the service. Plain-text.

metadata: Dictionary with metadata for services (depends on service).

service_get(service_id, decrypt=True, group_id=None)

Get information to be edited

service_get_tree(service_id, with_groups=False)

Get information to be edited

service_passwd(service_id, newsecret)

Updates the password on the Vault for a certain service

service_put(service_id, data)

Save the (potentially modified) service to the Vault


Set the function to ask for passphrase.

By default, it is set to _getpass, which asks for the passphrase on the command line, but you can create a new function, that would for example pop-up a window, or use another mechanism to ask for passphrase and continue authentication.

show(service_id, verbose=False, with_groups=False)

Show informations to connect to a particular service


List users

groups - if True, list groups for each user also


Change the password protecting the local private key.

user_setup(username, vault_url, passphrase=None)

Sets up the local configuration to communicate with the Vault.

username - the name with which an admin prepared (with add-user)
your account.
vault_url - the URL pointing to the XML-RPC interface of the vault
(typically host://
passphrase - use the given passphrase instead of asking it on the
command line.
vaultId(vid, prefix, check_alias=True)

Return an integer value for a given VaultID.

A VaultID can be one of the following:

  • 123 - treated as is, and assumed to be of type prefix.
  • m#123 - checked against prefix, otherwise raises an exception.
  • alias - checked against prefix and the aliases that are in the configuration, returns an integer, or raises an exception.
Parameters:check_alias – check for matching aliases if True, otherwise only the two first cases are treated.