class hop.auth.Auth(user, password, host='', ssl=True, method=None, token_endpoint=None, **kwargs)[source]

Attach SASL-based authentication to a client.

Returns client-based auth options when called.

  • user (str) – Username to authenticate with.

  • password (str) – Password to authenticate with.

  • host (str, optional) – The name of the host for which this authentication is valid.

  • ssl (bool, optional) – Whether to enable SSL (enabled by default).

  • method (SASLMethod, optional) – The SASL method to authenticate. The default is SASLMethod.OAUTHBEARER if token_endpoint is provided, or SASLMethod.SCRAM_SHA_512 otherwise. See valid SASL methods in SASLMethod.

  • ssl_ca_location (str, optional) – If using SSL via a self-signed cert, a path/location to the certificate.

  • token_endpoint (str, optional) – The OpenID Connect token endpoint URL. Required for OAUTHBEARER / OpenID Connect, otherwise ignored.

property hostname

The hostname with which this creential is associated, or the empty string if the credential did not contain this information

property mechanism

The authentication mechanism to use

property password

The password for this credential

property protocol

The communication protocol to use

property ssl

Whether communication should be secured with SSL

property ssl_ca_location

The location of the Certfificate Authority data used for SSL, or None if SSL is not enabled

property token_endpoint

The OpenID Connect token endpoint, or None if OpenID Connect is not enabled

property username

The username for this credential


Load a new credential and store it to the persistent configuration.


args – Command line options/arguments object. args.cred_file is taken as the path to a CSV file to import, or if None the user is prompted to enter a credential directly. args.force controls whether an existing credential with an identical name will be overwritten.

hop.auth.delete_credential(name: str)[source]

Delete a credential from the persistent configuration.

  • name – The username, or username and hostname separated by an ‘@’ character of the credential

  • delete. (to) –


RuntimeError – If no credentials or more than one credential matches the specified name, making the operation impossible or ambiguous.


Display a list of all configured credentials.


Configures Auth instances from a configuration file.


config_file – Path to a configuration file, loading from the default location if not given.


A list of configured Auth instances.

  • RuntimeError – The config file exists, but has unsafe permissions and will not be read until they are corrected.

  • KeyError – An error occurred parsing the configuration file.

  • FileNotFoundError – The configuration file, either as specified explicitly or found automatically, does not exist


Remove auth data from a general configuration file.

This can be needed when updating auth data which was read from the general config for backwards compatibility, but is then written out to the correct new location in a separate auth config, as is now proper. With no further action, this would leave a vestigial copy from before the update in the general config file, which would not be rewritten, so this function exists to perform the necessary rewrite.


config_file – Path to a configuration file, rewriting the default location if not given.


RuntimeError – The config file is malformed.


Import a credential from a CSV file or obtain it interactively from the user.


csv_file – Path to a file from which to read credential data in CSV format. If unspecified, the user will be prompted to enter data instead.


A configured Auth object containing the new credential.

  • FileNotFoundError – If csv_file is not None and refers to a nonexistent path.

  • KeyError – If csv_file is not None and the specified file does not contain either a username or password field.

  • RuntimeError – If csv_file is None and the interactively entered username or passwod is empty.

hop.auth.select_matching_auth(creds, hostname, username=None)[source]

Selects the most appropriate credential to use when attempting to contact the given host.

  • creds – A list of configured Auth objects. These can be obtained from load_auth().

  • hostname – The name of the host for which to select suitable credentials.

  • usernamestr, optional The name of the credential to use.


A single Auth object which should be used to authenticate.


RuntimeError – Too many or too few credentials matched.

hop.auth.write_auth_data(config_file, credentials)[source]

Write configuration file for the set of credentials.

Creates containing directories as needed.

  • config_file – configuration file path

  • credentials – list of Auth objects representing credentials to be stored