Add associated_data to encrypt/decrypt transit endpoints (#1108)

* Fix for #1107 * Fix for #1107 * Fix linting issues
hvac · Mar 20, 2024 · 19ad4f5 · 19ad4f5
1 parent a38ce8d
commit 19ad4f5
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/hvac/api/secrets_engines/transit.py b/hvac/api/secrets_engines/transit.py
@@ -322,6 +322,7 @@ def encrypt_data(
         type=None,
         convergent_encryption=None,
         mount_point=DEFAULT_MOUNT_POINT,
+        associated_data=None,
     ):
         """Encrypt the provided plaintext using the named key.
 
@@ -340,6 +341,9 @@ def encrypt_data(
         :param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is
             enabled for this key.
         :type context: str | unicode
+        :param associated_data: Specifies base64 encoded associated data (also known as additional data or AAD) to also be authenticated
+            with AEAD ciphers (aes128-gcm96, aes256-gcm, and chacha20-poly1305)
+        :type associated_data: str | unicode
         :param key_version: Specifies the version of the key to use for encryption. If not set, uses the latest version.
             Must be greater than or equal to the key's min_encryption_version, if set.
         :type key_version: int
@@ -376,6 +380,7 @@ def encrypt_data(
             utils.remove_nones(
                 {
                     "context": context,
+                    "associated_data": associated_data,
                     "key_version": key_version,
                     "nonce": nonce,
                     "batch_input": batch_input,
@@ -402,6 +407,7 @@ def decrypt_data(
         nonce=None,
         batch_input=None,
         mount_point=DEFAULT_MOUNT_POINT,
+        associated_data=None,
     ):
         """Decrypt the provided ciphertext using the named key.
 
@@ -415,6 +421,9 @@ def decrypt_data(
         :param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is
             enabled.
         :type context: str | unicode
+        :param associated_data: Specifies base64 encoded associated data (also known as additional data or AAD) to also
+            be authenticated with AEAD ciphers (aes128-gcm96, aes256-gcm, and chacha20-poly1305)
+        :type associated_data: str | unicode
         :param nonce: Specifies a base64 encoded nonce value used during encryption. Must be provided if convergent
             encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created
             in 0.6.2+.
@@ -437,6 +446,7 @@ def decrypt_data(
             utils.remove_nones(
                 {
                     "context": context,
+                    "associated_data": associated_data,
                     "nonce": nonce,
                     "batch_input": batch_input,
                 }