From 7cff940c23956d0f870b86fa46e166f58304a4f5 Mon Sep 17 00:00:00 2001
From: wuzhaomin <wuzhaomin@kylinos.cn>
Date: Sat, 11 May 2024 10:44:28 +0800
Subject: [PATCH] Add associated_data to encrypt/decrypt transit endpoints

---
 ...ata-to-encrypt-decrypt-transit-endpo.patch | 74 +++++++++++++++++++
 python-hvac.spec                              |  6 +-
 2 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 backport-Add-associated_data-to-encrypt-decrypt-transit-endpo.patch

diff --git a/backport-Add-associated_data-to-encrypt-decrypt-transit-endpo.patch b/backport-Add-associated_data-to-encrypt-decrypt-transit-endpo.patch
new file mode 100644
index 0000000..6a021c2
--- /dev/null
+++ b/backport-Add-associated_data-to-encrypt-decrypt-transit-endpo.patch
@@ -0,0 +1,74 @@
+From 19ad4f5ae105cb77804bdf6e0dec52f21d448cc9 Mon Sep 17 00:00:00 2001
+From: Jordan Stopford <13164507+JordanStopford@users.noreply.github.com>
+Date: Wed, 20 Mar 2024 15:24:53 +0200
+Subject: [PATCH] Add associated_data to encrypt/decrypt transit endpoints
+ (#1108)
+
+* Fix for #1107
+
+* Fix for #1107
+
+* Fix linting issues
+---
+ hvac/api/secrets_engines/transit.py | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hvac/api/secrets_engines/transit.py b/hvac/api/secrets_engines/transit.py
+index c7b9bd6..77185bc 100644
+--- a/hvac/api/secrets_engines/transit.py
++++ b/hvac/api/secrets_engines/transit.py
+@@ -322,6 +322,7 @@ class Transit(VaultApiBase):
+         type=None,
+         convergent_encryption=None,
+         mount_point=DEFAULT_MOUNT_POINT,
++        associated_data=None,
+     ):
+         """Encrypt the provided plaintext using the named key.
+ 
+@@ -340,6 +341,9 @@ class Transit(VaultApiBase):
+         :param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is
+             enabled for this key.
+         :type context: str | unicode
++        :param associated_data: Specifies base64 encoded associated data (also known as additional data or AAD) to also be authenticated
++            with AEAD ciphers (aes128-gcm96, aes256-gcm, and chacha20-poly1305)
++        :type associated_data: str | unicode
+         :param key_version: Specifies the version of the key to use for encryption. If not set, uses the latest version.
+             Must be greater than or equal to the key's min_encryption_version, if set.
+         :type key_version: int
+@@ -376,6 +380,7 @@ class Transit(VaultApiBase):
+             utils.remove_nones(
+                 {
+                     "context": context,
++                    "associated_data": associated_data,
+                     "key_version": key_version,
+                     "nonce": nonce,
+                     "batch_input": batch_input,
+@@ -402,6 +407,7 @@ class Transit(VaultApiBase):
+         nonce=None,
+         batch_input=None,
+         mount_point=DEFAULT_MOUNT_POINT,
++        associated_data=None,
+     ):
+         """Decrypt the provided ciphertext using the named key.
+ 
+@@ -415,6 +421,9 @@ class Transit(VaultApiBase):
+         :param context: Specifies the base64 encoded context for key derivation. This is required if key derivation is
+             enabled.
+         :type context: str | unicode
++        :param associated_data: Specifies base64 encoded associated data (also known as additional data or AAD) to also
++            be authenticated with AEAD ciphers (aes128-gcm96, aes256-gcm, and chacha20-poly1305)
++        :type associated_data: str | unicode
+         :param nonce: Specifies a base64 encoded nonce value used during encryption. Must be provided if convergent
+             encryption is enabled for this key and the key was generated with Vault 0.6.1. Not required for keys created
+             in 0.6.2+.
+@@ -437,6 +446,7 @@ class Transit(VaultApiBase):
+             utils.remove_nones(
+                 {
+                     "context": context,
++                    "associated_data": associated_data,
+                     "nonce": nonce,
+                     "batch_input": batch_input,
+                 }
+-- 
+2.9.3.windows.1
+
diff --git a/python-hvac.spec b/python-hvac.spec
index e4c6c06..166e77e 100644
--- a/python-hvac.spec
+++ b/python-hvac.spec
@@ -1,10 +1,11 @@
 Name:           python-hvac
 Version:        2.1.0
-Release:        1
+Release:        2
 Summary:        HashiCorp Vault API client for Python
 License:        ASL 2.0
 URL:            https://github.com/hvac/hvac
 Source0:	https://files.pythonhosted.org/packages/9a/d1/b4b06bd69d541b9650646c930cab6b1d2ea02199c914c8fe8666d075a596/hvac-2.1.0.tar.gz
+Patch0:     backport-Add-associated_data-to-encrypt-decrypt-transit-endpo.patch
 BuildArch:      noarch
 
 %description
@@ -38,6 +39,9 @@ This package provides a Python API client for HashiCorp Vault.
 %{python3_sitelib}/*
 
 %changelog
+* Sat May 11 2024 wuzhaomin <wuzhaomin@kylinos.cn> - 2.1.0-2
+- Add associated_data to encrypt/decrypt transit endpoints
+
 * Fri Feb 23 2024 wangjunqi <wangjunqi@kylinos.cn> - 2.1.0-1
 - Update package to version 2.1.0 
 	Add support for sys/policies endpoint (GH-1100)
-- 
Gitee