waft.configuration.secrets_manager.ssh_key_manager module

class waft.configuration.secrets_manager.ssh_key_manager.SshKeyManager

Bases: object

Centralized manager for SSH key handling in WAFT.

Provider-agnostic responsibilities: - Validate SSH private keys - Save keys to disk with correct permissions - Ensure keys are available for target and proxy systems - Optionally retrieve secrets via injected secret providers

backup_key(path: Path, suffix: str = '.bak') → Path | None

Backup a key file if it exists.

Returns the backup path if created, else None.

create_directory_if_not_exists(dir_path: Path) → Path

Ensure the local key directory exists with 0700 permissions.

Returns the directory path.

prepare_key_from_content(dest_path: Path, content: str) → Path

Save key content to destination path if valid.

Parameters:

• dest_path – Path where the key should be saved

• content – SSH key content

Returns:

Path to the saved key file

Raises:

RuntimeError if the key content is invalid –

prepare_proxy_key(sources: list[Path], *, secrets_api: SecretsAPI | None = None, secret_name: str = 'proxy-ssh') → Path

Ensure the proxy SSH key exists and is valid.

Parameters:

• sources – List of paths to check for valid keys

• secrets_api – Optional SecretsAPI instance for retrieving keys from vault

• secret_name – Name to request from the secrets API if used

Returns:

Path to the available proxy key file

Raises:

RuntimeError – If no valid key can be found or retrieved

prepare_target_key(sources: list[Path]) → Path

Ensure the target SSH key exists and is valid.

Parameters:

sources – List of paths to check for valid keys

Returns:

Path to the available target key file

Raises:

RuntimeError if no valid target key can be obtained –

prepare_target_key_from_paths(primary_path: Path, fallback_path: Path | None = None) → Path

Ensure the target SSH key exists from file paths.

Parameters:

• primary_path – Primary path to check for key

• fallback_path – Optional fallback path if primary doesn’t exist

Returns:

Path to the available target key file

Raises:

RuntimeError if no valid target key can be obtained –

read_public_key(private_key_path: Path) → str

Read the public key next to a private key path (‘.pub’ suffix).

remove_key(path: Path, *, backup: bool = True) → None

Remove a key file, optionally backing it up first.

save_key(path: Path, content: str) → None

Save an SSH private key to a file.

Parameters:

• path – Path to the file where the key will be saved

• content – String containing the SSH private key

Raises:

RuntimeError – If the key content is invalid

validate_key(key_content: str) → bool

Validate that a string is a valid SSH private key.

Parameters:

key_content – String containing the SSH private key

Returns:

True if the string is a valid SSH private key, False otherwise