Module vault_ssh 

Structs

SignResult

Result of a certificate signing operation.

Enums

CertStatus

Certificate validity status.

Constants

CERT_ERROR_BACKOFF_SECS

Shorter TTL for cached CertStatus::Invalid entries produced by check failures (e.g. unresolvable cert path). Error entries use this backoff instead of the 5-minute re-check TTL so transient errors recover quickly without hammering the background check thread on every poll tick.

CERT_STATUS_CACHE_TTL_SECS

TTL (in seconds) for the in-memory cert status cache before we re-run ssh-keygen -L against an on-disk certificate. Distinct from RENEWAL_THRESHOLD_SECS: this controls how often we re-check a cert’s validity, while RENEWAL_THRESHOLD_SECS is the minimum lifetime below which we actually request a new signature from Vault.

RENEWAL_THRESHOLD_SECS

Minimum remaining seconds before a cert needs renewal (5 minutes).

Functions

cert_path_for

Return the certificate path for a given alias: ~/.purple/certs/<alias>-cert.pub

check_cert_validity

Check the validity of an SSH certificate file via ssh-keygen -L.

ensure_cert

Ensure a valid certificate exists for a host. Signs a new one if needed. Checks at the CertificateFile path (or purple’s default) before signing.

format_remaining

Format remaining certificate time for display.

is_valid_role

Validate a Vault SSH role path. Accepts ASCII alphanumerics plus /, _ and -. Rejects empty strings and values longer than 128 chars.

is_valid_vault_addr

Validate a VAULT_ADDR value passed to the Vault CLI as an env var.

needs_renewal

Check if a certificate needs renewal.

normalize_vault_addr

Normalize a vault address so bare IPs and hostnames work. Prepends https:// when no scheme is present and appends a default port when none is specified: :80 for http://, :443 for https://, :8200 for bare hostnames (Vault’s default). The default scheme is https:// because production Vault always uses TLS. Dev-mode users can set http:// explicitly.

resolve_cert_path

Resolve the actual certificate file path for a host. Priority: CertificateFile directive > purple’s default cert path.

resolve_pubkey_path

Resolve the public key path for signing. Priority: host IdentityFile + “.pub” > ~/.ssh/id_ed25519.pub fallback. Returns an error when the user’s home directory cannot be determined. Any IdentityFile pointing outside $HOME is rejected and falls back to the default ~/.ssh/id_ed25519.pub to prevent reading arbitrary filesystem locations via a crafted IdentityFile directive.

resolve_vault_addr

Resolve the effective Vault address for a host.

resolve_vault_role

Resolve the effective vault role for a host. Priority: host-level vault_ssh > provider-level vault_role > None.

scrub_vault_stderr

Scrub a raw Vault CLI stderr for display. Drops lines containing credential-like tokens (token, secret, x-vault-, cookie, authorization), joins the rest with spaces and truncates to 200 chars.

sign_certificate

Sign an SSH public key via Vault SSH secrets engine. Runs: vault write -field=signed_key <role> public_key=@<pubkey_path> Writes the signed certificate to ~/.purple/certs/<alias>-cert.pub.