How to use the bless.ssh.certificates.ssh_certificate_builder.SSHCertificateType.USER function in bless

def test_valid_rsa_request():
    ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD)
    cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, EXAMPLE_RSA_PUBLIC_KEY)
    cert = cert_builder.get_cert_file()
    assert isinstance(cert_builder, RSACertificateBuilder)
    assert cert.startswith(SSHCertifiedKeyType.RSA)

def test_ed25519_user_cert_defaults():
    ca = get_basic_rsa_ca()
    pub_key = ED25519PublicKey(EXAMPLE_ED25519_PUBLIC_KEY)
    cert_builder = ED25519CertificateBuilder(ca, SSHCertificateType.USER, pub_key)
    cert_builder.set_nonce(
        nonce=extract_nonce_from_cert(ED25519_USER_CERT_DEFAULTS))
    cert_builder.set_key_id(ED25519_USER_CERT_DEFAULTS_KEY_ID)

    cert = cert_builder.get_cert_file()
    assert ED25519_USER_CERT_DEFAULTS == cert

def get_basic_cert_builder_rsa(cert_type=SSHCertificateType.USER,
                               public_key=EXAMPLE_RSA_PUBLIC_KEY):
    ca = get_basic_rsa_ca()
    pub_key = get_basic_public_key(public_key)
    return RSACertificateBuilder(ca, cert_type, pub_key)

def test_invalid_key_request():
    with pytest.raises(TypeError):
        ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD)
        get_ssh_certificate_builder(ca, SSHCertificateType.USER, 'bogus')

config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION),
                    region
                )
                # decrypt_token will raise a TokenValidationError if token doesn't match
                validator.decrypt_token(
                    "2/user/{}".format(request.bastion_user),
                    request.kmsauth_token
                )
            except TokenValidationError as e:
                return error_response('KMSAuthValidationError', str(e))
        else:
            return error_response('InputValidationError', 'Invalid request, missing kmsauth token')

    # Build the cert
    ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)
    cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER,
                                               request.public_key_to_sign)
    for username in request.remote_usernames.split(','):
        cert_builder.add_valid_principal(username)

    cert_builder.set_valid_before(valid_before)
    cert_builder.set_valid_after(valid_after)

    if certificate_extensions:
        for e in certificate_extensions.split(','):
            if e:
                cert_builder.add_extension(e)
    else:
        cert_builder.clear_extensions()

    # cert_builder is needed to obtain the SSH public key's fingerprint
    key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key[{}]  ca[{}] valid_to[{}]'.format(

def set_extensions_to_default(self):
        """
        Sets the SSH Certificate Extensions set to the same defaults ssh-keygen would provide.

        SSH Certificate Extensions enable certain SSH features.  If they are not present,
        sessions authenticated with the certificate cannot use them.

        See http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys
        """
        if self.cert_type is SSHCertificateType.USER:
            self.extensions = {'permit-X11-forwarding',
                               'permit-agent-forwarding',
                               'permit-port-forwarding',
                               'permit-pty', 'permit-user-rc'}
        else:
            # SSHCertificateType.HOST has no applicable extensions.
            self.clear_extensions()