def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = resources.REGISTRY.Create(flags.CRYPTO_KEY_COLLECTION) request = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsListRequest( parent=crypto_key_ref.RelativeName()) return list_pager.YieldFromList( client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions, request, field='cryptoKeyVersions', limit=args.limit, batch_size_attribute='pageSize')
def GetCryptoKeyIamPolicy(crypto_key_ref): """Fetch the IAM Policy attached to the named CryptoKey. Args: crypto_key_ref: A resources.Resource naming the CryptoKey. Returns: An apitools wrapper for the IAM Policy. """ client = base.GetClientInstance() messages = base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetIamPolicyRequest( resource=crypto_key_ref.RelativeName()) return client.projects_locations_keyRings_cryptoKeys.GetIamPolicy(req)
def Run(self, args): if (args.plaintext_file == '-' and args.additional_authenticated_data_file == '-'): raise exceptions.InvalidArgumentException( '--plaintext-file', '--plaintext-file and --additional-authenticated-data-file cannot ' 'both read from stdin.') try: # The Encrypt API limits the plaintext to 64KiB. plaintext = self._ReadFileOrStdin(args.plaintext_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read plaintext file [{0}]: {1}'.format( args.plaintext_file, e)) aad = None if args.additional_authenticated_data_file: try: # The Encrypt API limits the AAD to 64KiB. aad = self._ReadFileOrStdin( args.additional_authenticated_data_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read additional authenticated data file [{0}]: {1}'. format(args.additional_authenticated_data_file, e)) if args.version: crypto_key_ref = flags.ParseCryptoKeyVersionName(args) else: crypto_key_ref = flags.ParseCryptoKeyName(args) client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest( name=crypto_key_ref.RelativeName()) req.encryptRequest = messages.EncryptRequest( plaintext=plaintext, additionalAuthenticatedData=aad) resp = client.projects_locations_keyRings_cryptoKeys.Encrypt(req) try: files.WriteFileOrStdoutContents( args.ciphertext_file, resp.ciphertext, binary=True, overwrite=True) except files.Error as e: raise exceptions.BadFileException(e)
def GetKeyRingIamPolicy(key_ring_ref): """Fetch the IAM Policy attached to the named KeyRing. Args: key_ring_ref: A resources.Resource naming the KeyRing. Returns: An apitools wrapper for the IAM Policy. """ client = base.GetClientInstance() messages = base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsGetIamPolicyRequest( options_requestedPolicyVersion=iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION, resource=key_ring_ref.RelativeName()) return client.projects_locations_keyRings.GetIamPolicy(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() location_ref = resources.REGISTRY.Create( flags.LOCATION_COLLECTION, locationsId=args.MakeGetOrRaise('--location'), projectsId=properties.VALUES.core.project.GetOrFail) request = messages.CloudkmsProjectsLocationsKeyRingsListRequest( parent=location_ref.RelativeName()) return list_pager.YieldFromList(client.projects_locations_keyRings, request, field='keyRings', limit=args.limit, batch_size_attribute='pageSize')
def UpdatePrimaryVersion(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = args.CONCEPTS.key.Parse() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( # pylint: disable=line-too-long name=crypto_key_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=args.primary_version))) try: response = client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( # pylint: disable=line-too-long req) except apitools_exceptions.HttpError: return None return response
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() key_ring_ref = resources.REGISTRY.Create( flags.KEY_RING_COLLECTION, projectsId=properties.VALUES.core.project.GetOrFail) request = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysListRequest( parent=key_ring_ref.RelativeName()) return list_pager.YieldFromList( client.projects_locations_keyRings_cryptoKeys, request, field='cryptoKeys', limit=args.limit, batch_size_attribute='pageSize')
def GetPublicKey(version_ref): """Gets the public key of a CryptoKeyVersion. Args: version_ref: A resources.Resource for the CryptoKeyVersion. Returns: The CryptoKeyVersion's PublicKey. """ client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetPublicKeyRequest( name=version_ref.RelativeName()) return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.GetPublicKey( req)
def _CreateRequest(self, args): messages = cloudkms_base.GetMessagesModule() purpose = maps.PURPOSE_MAP[args.purpose] valid_algorithms = maps.VALID_ALGORITHMS_MAP[purpose] # Check default algorithm has been specified for non-symmetric-encryption # keys. For backward compatibility, the algorithm is # google-symmetric-encryption by default if the purpose is encryption. if not args.default_algorithm: if args.purpose != 'encryption': raise kms_exceptions.ArgumentError( '--default-algorithm needs to be specified when creating a key with' ' --purpose={}. The valid algorithms are: {}'.format( args.purpose, ', '.join(valid_algorithms))) args.default_algorithm = 'google-symmetric-encryption' # Check default algorithm and purpose are compatible. if args.default_algorithm not in valid_algorithms: raise kms_exceptions.ArgumentError( 'Default algorithm and purpose are incompatible. Here are the valid ' 'algorithms for --purpose={}: {}'.format( args.purpose, ', '.join(valid_algorithms))) crypto_key_ref = args.CONCEPTS.key.Parse() parent_ref = crypto_key_ref.Parent() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest( parent=parent_ref.RelativeName(), cryptoKeyId=crypto_key_ref.Name(), cryptoKey=messages.CryptoKey( purpose=purpose, versionTemplate=messages.CryptoKeyVersionTemplate( protectionLevel=maps.PROTECTION_LEVEL_MAPPER. GetEnumForChoice(args.protection_level), algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice( args.default_algorithm)), labels=labels_util.ParseCreateArgs( args, messages.CryptoKey.LabelsValue), importOnly=args.import_only, cryptoKeyBackend=args.crypto_key_backend), skipInitialVersionCreation=args.skip_initial_version_creation) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) flags.SetDestroyScheduledDuration(args, req.cryptoKey) return req
def _CreateRequest(self, args): messages = cloudkms_base.GetMessagesModule() purpose = maps.PURPOSE_MAP[args.purpose] valid_algorithms = maps.VALID_ALGORITHMS_MAP[purpose] # Check default algorithm has been specified for asymmetric keys. For # backward compatibility, the algorithm is google-symmetric-encryption by # default if the purpose is encryption. if not args.default_algorithm: if args.purpose != 'encryption': raise exceptions.ToolException( '--default-algorithm needs to be specified when creating a key with' ' --purpose={}. The valid algorithms are: {}'.format( args.purpose, ', '.join(valid_algorithms))) args.default_algorithm = 'google-symmetric-encryption' # Check default algorithm and purpose are compatible. if args.default_algorithm not in valid_algorithms: raise exceptions.ToolException( 'Default algorithm and purpose are incompatible. Here are the valid ' 'algorithms for --purpose={}: {}'.format( args.purpose, ', '.join(valid_algorithms))) crypto_key_ref = flags.ParseCryptoKeyName(args) parent_ref = flags.ParseParentFromResource(crypto_key_ref) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest( parent=parent_ref.RelativeName(), cryptoKeyId=crypto_key_ref.Name(), cryptoKey=messages.CryptoKey( purpose=purpose, versionTemplate=messages.CryptoKeyVersionTemplate( # TODO(b/35914817): Find a better way to get the enum value by # name. protectionLevel=maps.PROTECTION_LEVEL_MAPPER. GetEnumForChoice(args.protection_level), algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice( args.default_algorithm)), labels=labels_util.ParseCreateArgs( args, messages.CryptoKey.LabelsValue))) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) return req
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions new_ckv = ckv.Create(self._CreateCreateCKVRequest(args)) if args.primary: version_id = new_ckv.name.split('/')[-1] crypto_key_ref = flags.ParseCryptoKeyName(args) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( name=crypto_key_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=version_id))) client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(req) return new_ckv
def _CreateRequest(self, args): messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) parent_ref = flags.ParseParentFromResource(crypto_key_ref) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest( parent=parent_ref.RelativeName(), cryptoKeyId=crypto_key_ref.Name(), cryptoKey=messages.CryptoKey( # TODO(b/35914817): Find a better way to get the enum value by name. purpose=maps.PURPOSE_MAP[args.purpose], labels=labels_util.ParseCreateArgs( args, messages.CryptoKey.LabelsValue))) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) return req
def GetKeyRingIamPolicy(key_ring_ref): """Fetch the IAM Policy attached to the named KeyRing. Args: key_ring_ref: A resources.Resource naming the KeyRing. Returns: An apitools wrapper for the IAM Policy. """ client = base.GetClientInstance() messages = base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsGetIamPolicyRequest( projectsId=key_ring_ref.projectsId, locationsId=key_ring_ref.locationsId, keyRingsId=key_ring_ref.keyRingsId) return client.projects_locations_keyRings.GetIamPolicy(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = args.CONCEPTS.key.Parse() if not crypto_key_ref.Name(): raise exceptions.InvalidArgumentException( 'key', 'key id must be non-empty.') resp = client.projects_locations_keyRings_cryptoKeys.Get( messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest( name=crypto_key_ref.RelativeName())) # Suppress the attestation in the response, if there is one. Users can use # keys versions describe --attestation-file to obtain it, instead. if resp.primary and resp.primary.attestation: resp.primary.attestation = None return resp
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) if not version_ref.Name(): raise exceptions.InvalidArgumentException( 'version', 'version id must be non-empty.') version = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get( # pylint: disable=line-too-long messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName())) # Raise exception if --attestation-file is provided for software # key versions. if (args.attestation_file and version.protectionLevel != messages.CryptoKeyVersion.ProtectionLevelValueValuesEnum.HSM): raise kms_exceptions.ArgumentError( 'Attestations are only available for HSM key versions.') if (args.attestation_file and version.state == messages. CryptoKeyVersion.StateValueValuesEnum.PENDING_GENERATION): raise kms_exceptions.ArgumentError( 'The attestation is unavailable until the version is generated.' ) if args.attestation_file and version.attestation is not None: try: log.WriteToFileOrStdout(args.attestation_file, version.attestation.content, overwrite=True, binary=True) except files.Error as e: raise exceptions.BadFileException(e) if version.attestation is not None: # Suppress the attestation content in the printed output. Users can use # --attestation-file to obtain it, instead. version.attestation.content = None # Suppress the attestation content in the printed output. Users can use # get-certificate-chain to obtain it, instead. version.attestation.certChains = None return version
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() resources.REGISTRY.SetParamDefault( 'cloudkms', None, 'cryptoKeysId', resolvers.FromArgument('--cryptokey', args.cryptokey)) version_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( name=version_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=version_ref.cryptoKeyVersionsId))) return client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( req)
def UpdateOthers(self, args, crypto_key, fields_to_update): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest( name=crypto_key_ref.RelativeName(), cryptoKey=messages.CryptoKey( labels=labels_util.Diff.FromUpdateArgs(args).Apply( messages.CryptoKey.LabelsValue, crypto_key.labels).GetOrNone())) req.updateMask = ','.join(fields_to_update) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) try: response = client.projects_locations_keyRings_cryptoKeys.Patch(req) except apitools_exceptions.HttpError: return None return response
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) parent_ref = flags.ParseKeyRingName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest( parent=parent_ref.RelativeName(), cryptoKeyId=crypto_key_ref.Name(), cryptoKey=messages.CryptoKey( # TODO(b/35914817): Find a better way to get the enum value by name. purpose=getattr(messages.CryptoKey.PurposeValueValuesEnum, PURPOSE_MAP[args.purpose]),),) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) return client.projects_locations_keyRings_cryptoKeys.Create(req)
def _ReadOrFetchPublicKeyBytes(self, args, import_job_name): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() # If the public key was provided, read it off disk. Otherwise, fetch it from # KMS. public_key_bytes = None if args.public_key_file: try: public_key_bytes = self._ReadFile(args.public_key_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read public key file [{0}]: {1}'.format( args.public_key_file, e)) else: import_job = client.projects_locations_keyRings_importJobs.Get( # pylint: disable=line-too-long messages.CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest( name=import_job_name)) public_key_bytes = import_job.publicKey.pem.encode('ascii') return public_key_bytes
def SetCryptoKeyIamPolicy(crypto_key_ref, policy): """Set the IAM Policy attached to the named CryptoKey to the given policy. If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy! Args: crypto_key_ref: A resources.Resource naming the CryptoKey. policy: An apitools wrapper for the IAM Policy. Returns: The IAM Policy. """ client = base.GetClientInstance() messages = base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysSetIamPolicyRequest( resource=crypto_key_ref.RelativeName(), setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy)) return client.projects_locations_keyRings_cryptoKeys.SetIamPolicy(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) if not version_ref.Name(): raise exceptions.InvalidArgumentException( 'version', 'version id must be non-empty.') resp = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.GetPublicKey( # pylint: disable=line-too-long messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetPublicKeyRequest( # pylint: disable=line-too-long name=version_ref.RelativeName())) # TODO(b/72555857): Revisit this when we pull this into trunk. log.WriteToFileOrStdout(args.output_file if args.output_file else '-', resp.pem, overwrite=True, binary=False, private=True)
def _CreateAsymmetricSignRequest(self, args): try: digest = get_digest.GetDigest(args.digest_algorithm, args.input_file) except EnvironmentError as e: raise exceptions.BadFileException( 'Failed to read input file [{0}]: {1}'.format(args.input_file, e)) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long name=flags.ParseCryptoKeyVersionName(args).RelativeName()) if self._PerformIntegrityVerification(args): # args.digest_algorithm has been verified in get_digest.GetDigest() digest_crc32c = crc32c.Crc32c(getattr(digest, args.digest_algorithm)) req.asymmetricSignRequest = messages.AsymmetricSignRequest( digest=digest, digestCrc32c=digest_crc32c) else: req.asymmetricSignRequest = messages.AsymmetricSignRequest(digest=digest) return req
def SetState(version_ref, state): """Update the state of a CryptoKeyVersion. Args: version_ref: A resources.Resource for the CryptoKeyVersion. state: an apitools enum for ENABLED or DISABLED state. Returns: The updated CryptoKeyVersion. """ client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsPatchRequest( # pylint: disable=line-too-long name=version_ref.RelativeName(), updateMask='state', cryptoKeyVersion=messages.CryptoKeyVersion(state=state)) return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Patch( req)
def _CreateMacSignRequest(self, args): try: # The MacSign API limits the input data to 64KiB. data = self._ReadFileOrStdin(args.input_file, max_bytes=65536) except EnvironmentError as e: raise exceptions.BadFileException( 'Failed to read input file [{0}]: {1}'.format( args.input_file, e)) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsMacSignRequest( # pylint: disable=line-too-long name=flags.ParseCryptoKeyVersionName(args).RelativeName()) if self._PerformIntegrityVerification(args): data_crc32c = crc32c.Crc32c(data) req.macSignRequest = messages.MacSignRequest( data=data, dataCrc32c=data_crc32c) else: req.macSignRequest = messages.MacSignRequest(data=data) return req
def _CreateCreateCKVRequest(self, args): # pylint: disable=line-too-long messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) if args.external_key_uri and args.ekm_connection_key_path: raise kms_exceptions.ArgumentError( 'Can not specify both --external-key-uri and ' '--ekm-connection-key-path.') if args.external_key_uri or args.ekm_connection_key_path: return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest( parent=crypto_key_ref.RelativeName(), cryptoKeyVersion=messages.CryptoKeyVersion( externalProtectionLevelOptions=messages. ExternalProtectionLevelOptions( externalKeyUri=args.external_key_uri, ekmConnectionKeyPath=args.ekm_connection_key_path))) return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest( parent=crypto_key_ref.RelativeName())
def Run(self, args): if not (args.service_directory_service or args.endpoint_filter or args.hostname or args.server_certificates_files): raise kms_exceptions.UpdateError( 'An error occured: At least one of --service-directory-service or ' '--endpoint-filter or --hostname or --server-certificates-files ' 'must be specified.') client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() ec_ref = flags.ParseEkmConnectionName(args) # Try to get the ekmConnection and raise an exception if it doesn't exist. ekm_connection = client.projects_locations_ekmConnections.Get( messages.CloudkmsProjectsLocationsEkmConnectionsGetRequest( name=ec_ref.RelativeName())) # Make update request update_req = self.CreateRequest(args, messages, ekm_connection) return client.projects_locations_ekmConnections.Patch(update_req)
def _CreateAsymmetricSignRequestOnData(self, args): """Returns an AsymmetricSignRequest for use with a data input. Populates an AsymmetricSignRequest with its data field populated by data read from args.input_file. dataCrc32c is populated if integrity verification is not skipped. Args: args: Input arguments. Returns: An AsymmetricSignRequest with data populated and dataCrc32c populated if integrity verification is not skipped. Raises: exceptions.BadFileException: An error occurred reading the input file. This can occur if the file can't be read or if the file is larger than 64 KiB. """ try: # The Asymmetric Sign API limits the data input to 64KiB. data = self._ReadBinaryFile(args.input_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read input file [{0}]: {1}'.format( args.input_file, e)) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long name=flags.ParseCryptoKeyVersionName(args).RelativeName()) if self._PerformIntegrityVerification(args): data_crc32c = crc32c.Crc32c(data) req.asymmetricSignRequest = messages.AsymmetricSignRequest( data=data, dataCrc32c=data_crc32c) else: req.asymmetricSignRequest = messages.AsymmetricSignRequest( data=data) return req
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() import_job_ref = flags.ParseImportJobName(args) if not import_job_ref.Name(): raise exceptions.InvalidArgumentException( 'import_job', 'import job id must be non-empty.') import_job = client.projects_locations_keyRings_importJobs.Get( # pylint: disable=line-too-long messages.CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest( name=import_job_ref.RelativeName())) # Raise exception if --attestation-file is provided for software # import jobs. if (args.attestation_file and import_job.protectionLevel != messages.ImportJob.ProtectionLevelValueValuesEnum.HSM): raise exceptions.ToolException( 'Attestations are only available for HSM import jobs.') if (args.attestation_file and import_job.state == messages.ImportJob .StateValueValuesEnum.PENDING_GENERATION): raise exceptions.ToolException( 'The attestation is unavailable until the import job is generated.') if args.attestation_file and import_job.attestation is not None: try: log.WriteToFileOrStdout( args.attestation_file, import_job.attestation.content, overwrite=True, binary=True) except files.Error as e: raise exceptions.BadFileException(e) if import_job.attestation is not None: # Suppress the attestation content in the printed output. Users can use # --attestation-file to obtain it, instead. import_job.attestation.content = None return import_job
def SetKeyRingIamPolicy(key_ring_ref, policy): """Set the IAM Policy attached to the named KeyRing to the given policy. If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy! Args: key_ring_ref: A resources.Resource naming the KeyRing. policy: An apitools wrapper for the IAM Policy. Returns: The IAM Policy. """ client = base.GetClientInstance() messages = base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsSetIamPolicyRequest( projectsId=key_ring_ref.projectsId, locationsId=key_ring_ref.locationsId, keyRingsId=key_ring_ref.keyRingsId, setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy)) return client.projects_locations_keyRings.SetIamPolicy(req)
def SetKeyRingIamPolicy(key_ring_ref, policy, update_mask): """Set the IAM Policy attached to the named KeyRing to the given policy. If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy! Args: key_ring_ref: A resources.Resource naming the KeyRing. policy: An apitools wrapper for the IAM Policy. update_mask: str, FieldMask represented as comma-separated field names. Returns: The IAM Policy. """ client = base.GetClientInstance() messages = base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsSetIamPolicyRequest( resource=key_ring_ref.RelativeName(), setIamPolicyRequest=messages.SetIamPolicyRequest( policy=policy, updateMask=update_mask)) return client.projects_locations_keyRings.SetIamPolicy(req)