hvac · alainchiasson · Aug 6, 2024 · Aug 6, 2024 · Aug 6, 2024 · Aug 7, 2024
@@ -105,6 +105,44 @@ Examples
         nonce=nonce,
     )
 
+Decode Encoded Root Token
+-------------------------
+
+.. automethod:: hvac.api.system_backend.Key.decode_token
+   :noindex:
+
+Examples
+````````
+
+.. testsetup:: sys_key_decode_root
+
+    from tests.utils import get_generate_root_otp
+    new_otp = get_generate_root_otp()
+    start_generate_root_response = client.sys.start_root_token_generation(
+        otp=new_otp,
+    )
+    nonce = start_generate_root_response['nonce']
+    keys = manager.keys
+
+.. testcode:: sys_key_decode_root
+
+    import hvac
+    client = hvac.Client(url='https://127.0.0.1:8200')
+
+    client.sys.generate_root( key=keys[0],nonce=nonce,)
+    client.sys.generate_root( key=keys[1],nonce=nonce,)
+    response = client.sys.generate_root( key=keys[2],nonce=nonce,)
+
+    encoded_token = response["encoded_root_token"]
+
+    root_token_response = client.sys.decode_token(
+        otp=new_otp, 
+        encoded_token=encoded_token,
+    )
+
+    root_token = root_token_response['data']['token']
+
+
 
 Get Encryption Key Status
 -------------------------

@@ -75,6 +75,37 @@ def generate_root(self, key, nonce):
             json=params,
         )
 
+    def decode_token(self, otp, encoded_token):
+        """Decode the resulting encoded token using the otp.
+
+        Decodes the encoded_token generated by generate_root. The encoded root token
+        is part of the last generate_root call, Once the number of threshold keys
+        are reached. The root_token encoded using the OTP, either passed into or
+        generated by, the initial start_root_token_generation call.
+
+        NOTE: decode_token is only support starting with vault 1.13. An InvalidPath
+        exception will be raised.
+
+        Supported methods:
+            PUT: /sys/decode-token. Produces: 200 application/json
+
+        :param otp: Specifies the otp provided to/by start_root_token_generation.
+        :type otp: str | unicode
+        :param encoded_token: The resulting encoded_token once threshold keys are reached.
+        :type encoded_token: str | unicode
+        :return: The JSON response of the request.
+        :rtype: d
8000
ict
+        """
+        params = {
+            "otp": otp,
+            "encoded_token": encoded_token,
+        }
+        api_path = "/v1/sys/decode-token"
+        return self._adapter.put(
+            url=api_path,
+            json=params,
+        )
+
     def cancel_root_generation(self):
         """Cancel any in-progress root generation attempt.
 

@@ -28,11 +28,22 @@ def test_start_generate_root_with_completion(self):
         logging.debug("last_generate_root_response: %s" % last_generate_root_response)
         self.assertFalse(self.client.sys.read_root_generation_progress()["started"])
 
-        new_root_token = utils.decode_generated_root_token(
-            encoded_token=last_generate_root_response["encoded_root_token"],
-            otp=test_otp,
-            url=self.client.url,
-        )
+        # decode-token on >= 1.13
+        new_root_token = ""
+        if utils.vault_version_lt("1.13"):
+            new_root_token = utils.decode_generated_root_token(
+                encoded_token=last_generate_root_response["encoded_root_token"],
+                otp=test_otp,
+                url=self.client.url,
+            )
+        else:
+            new_root_token_response = self.client.sys.decode_token(
+                otp=test_otp,
+                encoded_token=last_generate_root_response["encoded_root_token"],
+            )
+
+            new_root_token = new_root_token_response["data"]["token"]
+
         logging.debug("new_root_token: %s" % new_root_token)
         token_lookup_resp = self.client.lookup_token(token=new_root_token)
         logging.debug("token_lookup_resp: %s" % token_lookup_resp)

@@ -324,11 +324,21 @@ def test_start_generate_root_with_completion(self):
         logging.debug("last_generate_root_response: %s" % last_generate_root_response)
         self.assertFalse(self.client.generate_root_status["started"])
 
-        new_root_token = utils.decode_generated_root_token(
-            encoded_token=last_generate_root_response["encoded_root_token"],
-            otp=test_otp,
-            url=self.client.url,
-        )
+        # decode-token on >= 1.13
+        new_root_token = ""
+        if utils.vault_version_lt("1.13"):
+            new_root_token = utils.decode_generated_root_token(
+                encoded_token=last_generate_root_response["encoded_root_token"],
+                otp=test_otp,
+                url=self.client.url,
+            )
+        else:
+            new_root_token_response = self.client.sys.decode_token(
+                otp=test_otp,
+                encoded_token=last_generate_root_response["encoded_root_token"],
+            )
+
+            new_root_token = new_root_token_response["data"]["token"]
         logging.debug("new_root_token: %s" % new_root_token)
         token_lookup_resp = self.client.auth.token.lookup(token=new_root_token)
         logging.debug("token_lookup_resp: %s" % token_lookup_resp)