diff --git a/pylxd/client.py b/pylxd/client.py index c5c5c1eb..b8b37dd8 100644 --- a/pylxd/client.py +++ b/pylxd/client.py @@ -478,11 +478,15 @@ def assert_has_api_extension(self, name): if not self.has_api_extension(name): raise exceptions.LXDAPIExtensionNotAvailable(name) - def authenticate(self, secret): + def authenticate(self, secret, use_token_auth=True): if self.trusted: return cert = open(self.api.session.cert[0]).read().encode("utf-8") - self.certificates.create(secret, cert) + + if self.has_api_extension("explicit_trust_token") and use_token_auth: + self.certificates.create(password="", cert_data=cert, secret=secret) + else: + self.certificates.create(password=secret, cert_data=cert) # Refresh the host info response = self.api.get() diff --git a/pylxd/models/certificate.py b/pylxd/models/certificate.py index eb616cf3..0b635c73 100644 --- a/pylxd/models/certificate.py +++ b/pylxd/models/certificate.py @@ -53,12 +53,13 @@ def all(cls, client): def create( cls, client, - secret, + password, cert_data, cert_type="client", name="", projects=None, restricted=False, + secret="", ): """Create a new certificate.""" cert = x509.load_pem_x509_certificate(cert_data, default_backend()) @@ -68,14 +69,18 @@ def create( data = { "type": cert_type, "certificate": base64_cert, + "password": password, "name": name, "restricted": restricted, "projects": projects, } - if client.has_api_extension("explicit_trust_token"): + + # secret/trust_token are safer than password but support for password is kept for + # backward compatibility + if client.has_api_extension("explicit_trust_token") and secret: data["trust_token"] = secret - else: - data["password"] = secret + del data["password"] + response = client.api.certificates.post(json=data) location = response.headers["Location"] fingerprint = location.split("/")[-1]