def SetKeyRingIamPolicy(key_ring_ref, policy, update_mask): """Set the IAM Policy attached to the named KeyRing to the given policy. If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy! Args: key_ring_ref: A resources.Resource naming the KeyRing. policy: An apitools wrapper for the IAM Policy. update_mask: str, FieldMask represented as comma-separated field names. Returns: The IAM Policy. """ client = base.GetClientInstance() messages = base.GetMessagesModule() policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION if not update_mask: update_mask = 'version' elif 'version' not in update_mask: update_mask += ',version' req = messages.CloudkmsProjectsLocationsKeyRingsSetIamPolicyRequest( resource=key_ring_ref.RelativeName(), setIamPolicyRequest=messages.SetIamPolicyRequest( policy=policy, updateMask=update_mask)) return client.projects_locations_keyRings.SetIamPolicy(req)
def Run(self, args): # pylint: disable=line-too-long fields_to_update = self.ProcessFlags(args) client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) # Try to get the cryptoKeyVersion and raise an exception if it doesn't exist. key_version = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get( messages .CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName())) # Check that this key version's ProtectionLevel is EXTERNAL if args.external_key_uri: self.CheckKeyIsExternal(key_version, messages) if args.ekm_connection_key_path: self.CheckKeyIsExternalVpc(key_version, messages) # Make update request update_req = self.CreateRequest(args, messages, fields_to_update) return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Patch( update_req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) if not version_ref.Name(): raise exceptions.InvalidArgumentException( 'version', 'version id must be non-empty.') versions = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions version = versions.Get( messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName())) if (version.protectionLevel != messages.CryptoKeyVersion.ProtectionLevelValueValuesEnum.HSM): raise exceptions.ToolException( 'Certificate chains are only available for HSM key versions.') if (version.state == messages.CryptoKeyVersion.StateValueValuesEnum. PENDING_GENERATION): raise exceptions.ToolException( 'Certificate chains are unavailable until the version is generated.' ) try: log.WriteToFileOrStdout( args.output_file if args.output_file else '-', _GetCertificateChainPem(version.attestation.certChains, args.certificate_chain_type), overwrite=True, binary=False) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() key_ring_ref = flags.ParseKeyRingName(args) return client.projects_locations_keyRings.Get( messages.CloudkmsProjectsLocationsKeyRingsGetRequest( name=key_ring_ref.RelativeName()))
def UpdateOthers(self, args, crypto_key, fields_to_update): """Updates labels, nextRotationTime, rotationPeriod, and algorithm.""" client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) valid_algorithms = maps.VALID_ALGORITHMS_MAP[crypto_key.purpose] req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest( name=crypto_key_ref.RelativeName(), cryptoKey=messages.CryptoKey( labels=labels_util.Diff.FromUpdateArgs(args).Apply( messages.CryptoKey.LabelsValue, crypto_key.labels).GetOrNone())) req.updateMask = ','.join(fields_to_update) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) if args.default_algorithm: if args.default_algorithm not in valid_algorithms: raise exceptions.ToolException( 'Update failed: Algorithm {algorithm} is not valid. Here are the ' 'valid algorithm(s) for purpose {purpose}: {all_algorithms}'.format( algorithm=args.default_algorithm, purpose=crypto_key.purpose, all_algorithms=', '.join(valid_algorithms))) req.cryptoKey.versionTemplate = messages.CryptoKeyVersionTemplate( algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice( args.default_algorithm)) try: response = client.projects_locations_keyRings_cryptoKeys.Patch(req) except apitools_exceptions.HttpError: return None return response
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = resources.REGISTRY.Create(flags.CRYPTO_KEY_COLLECTION) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest( parent=crypto_key_ref.RelativeName()) ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions new_version = ckv.Create(req) if args.primary: # TODO(b/35914817): Find a better way to parse this. version_id = os.path.basename(new_version.name) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( name=crypto_key_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=version_id))) client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( req) return new_version
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() try: digest = get_digest.GetDigest(args.digest_algorithm, args.input_file) except EnvironmentError as e: raise exceptions.BadFileException( 'Failed to read input file [{0}]: {1}'.format( args.input_file, e)) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long name=flags.ParseCryptoKeyVersionName(args).RelativeName()) req.asymmetricSignRequest = messages.AsymmetricSignRequest( digest=digest) resp = (client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions .AsymmetricSign(req)) try: log.WriteToFileOrStdout(args.signature_file, resp.signature, overwrite=True, binary=True, private=True) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): try: ciphertext = console_io.ReadFromFileOrStdin( args.ciphertext_file, binary=True) except files.Error as e: raise exceptions.BadFileException( 'Failed to read ciphertext file [{0}]: {1}'.format( args.ciphertext_file, e)) client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricDecryptRequest( # pylint: disable=line-too-long name=crypto_key_ref.RelativeName()) req.asymmetricDecryptRequest = messages.AsymmetricDecryptRequest( ciphertext=ciphertext) resp = ( client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions. AsymmetricDecrypt(req)) try: log.WriteToFileOrStdout( args.plaintext_file, resp.plaintext or '', overwrite=True, binary=True, private=True) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): req = self._CreateDecryptRequest(args) client = cloudkms_base.GetClientInstance() try: resp = client.projects_locations_keyRings_cryptoKeys.Decrypt(req) # Intercept INVALID_ARGUMENT errors related to checksum verification to # present a user-friendly message. All other errors are surfaced as-is. except apitools_exceptions.HttpBadRequestError as error: e2e_integrity.ProcessHttpBadRequestError(error) if self._PerformIntegrityVerification(args): self._VerifyResponseIntegrityFields(req, resp) try: if resp.plaintext is None: with files.FileWriter(args.plaintext_file): # to create an empty file pass log.Print('Decrypted file is empty') else: log.WriteToFileOrStdout(args.plaintext_file, resp.plaintext, binary=True, overwrite=True) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): # Check the flags and raise an exception if any check fails. fields_to_update = self.ProcessFlags(args) # Try to get the cryptoKey and raise an exception if the key doesn't exist. client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) crypto_key = client.projects_locations_keyRings_cryptoKeys.Get( messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest( name=crypto_key_ref.RelativeName())) # Try to update the key's primary version. set_primary_version_succeeds = True if args.primary_version: response = self.UpdatePrimaryVersion(args) if response: crypto_key = response # If call succeeds, update the crypto_key. else: set_primary_version_succeeds = False # Try other updates. other_updates_succeed = True if fields_to_update: response = self.UpdateOthers(args, crypto_key, fields_to_update) if response: crypto_key = response # If call succeeds, update the crypto_key. else: other_updates_succeed = False if (not set_primary_version_succeeds) or (not other_updates_succeed): self.HandleErrors(args, set_primary_version_succeeds, other_updates_succeed, fields_to_update) else: return crypto_key
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions new_ckv = ckv.Create(self._CreateCreateCKVRequest(args)) if args.primary: version_id = new_ckv.name.split('/')[-1] crypto_key_ref = flags.ParseCryptoKeyName(args) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( name=crypto_key_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=version_id))) client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( req) if new_ckv.algorithm == self.GOOGLE_SYMMETRIC_ENCRYPTION: log.err.Print( self.SYMMETRIC_NEW_PRIMARY_MESSAGE.format( version=version_id)) return new_ckv
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest( projectsId=crypto_key_ref.projectsId, locationsId=crypto_key_ref.locationsId, keyRingsId=crypto_key_ref.keyRingsId, cryptoKeysId=crypto_key_ref.cryptoKeysId, cryptoKey=messages.CryptoKey()) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) fields_to_update = [] if args.rotation_period is not None: fields_to_update.append('rotationPeriod') if args.next_rotation_time is not None: fields_to_update.append('nextRotationTime') if not fields_to_update: raise exceptions.ToolException( 'At least one of --next-rotation-time or --rotation-period must be ' 'specified.') req.updateMask = ','.join(fields_to_update) return client.projects_locations_keyRings_cryptoKeys.Patch(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) parent_ref = flags.ParseParentFromResource(crypto_key_ref) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest( parent=parent_ref.RelativeName(), cryptoKeyId=crypto_key_ref.Name(), cryptoKey=messages.CryptoKey( # TODO(b/35914817): Find a better way to get the enum value by name. purpose=getattr(messages.CryptoKey.PurposeValueValuesEnum, PURPOSE_MAP[args.purpose]), labels=labels_util.UpdateLabels( None, messages.CryptoKey.LabelsValue, update_labels=labels_util.GetUpdateLabelsDictFromArgs( args))), ) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) return client.projects_locations_keyRings_cryptoKeys.Create(req)
def _ReadOrFetchPublicKeyBytes(self, args, import_job_name): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() # If the public key was provided, read it off disk. Otherwise, fetch it from # KMS. public_key_bytes = None if args.public_key_file: try: public_key_bytes = self._ReadFile(args.public_key_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read public key file [{0}]: {1}'.format( args.public_key_file, e)) else: import_job = client.projects_locations_keyRings_importJobs.Get( # pylint: disable=line-too-long messages.CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest( name=import_job_name)) if import_job.state != messages.ImportJob.StateValueValuesEnum.ACTIVE: raise exceptions.BadArgumentException( 'import-job', 'Import job [{0}] is not active (state is {1}).'.format( import_job_name, import_job.state)) public_key_bytes = import_job.publicKey.pem.encode('ascii') return public_key_bytes
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get( messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName()))
def SetUp(self): self.messages = cloudkms_base.GetMessagesModule() self.mock_client = mock.Client( apis.GetClientClass(cloudkms_base.DEFAULT_API_NAME, cloudkms_base.DEFAULT_API_VERSION), real_client=cloudkms_base.GetClientInstance()) self.mock_client.Mock() self.addCleanup(self.mock_client.Unmock) self.version_ref = GetCryptoKeyVersionRef(self._VERSION_NAME)
def TestCryptoKeyIamPermissions(crypto_key_ref, permissions): """Return permissions that the caller has on the named CryptoKey.""" client = base.GetClientInstance() messages = base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysTestIamPermissionsRequest( resource=crypto_key_ref.RelativeName(), testIamPermissionsRequest=messages.TestIamPermissionsRequest( permissions=permissions)) return client.projects_locations_keyRings_cryptoKeys.TestIamPermissions(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() ekm_connection_ref = args.CONCEPTS.ekm_connection.Parse() if not ekm_connection_ref.Name(): raise exceptions.InvalidArgumentException( 'ekmconnection', 'ekmconnection id must be non-empty.') return client.projects_locations_ekmConnections.Get( messages.CloudkmsProjectsLocationsEkmConnectionsGetRequest( name=ekm_connection_ref.RelativeName()))
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() key_ring_ref = flags.ParseKeyRingName(args) if not key_ring_ref.Name(): raise exceptions.InvalidArgumentException('keyring', 'keyring id must be non-empty.') return client.projects_locations_keyRings.Get( messages.CloudkmsProjectsLocationsKeyRingsGetRequest( name=key_ring_ref.RelativeName()))
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsDestroyRequest( name=version_ref.RelativeName()) ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions return ckv.Destroy(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest( name=crypto_key_ref.RelativeName(), cryptoKey=messages.CryptoKey(), updateMask='rotationPeriod,nextRotationTime') return client.projects_locations_keyRings_cryptoKeys.Patch(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) return client.projects_locations_keyRings_cryptoKeys.Get( messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest( projectsId=crypto_key_ref.projectsId, locationsId=crypto_key_ref.locationsId, keyRingsId=crypto_key_ref.keyRingsId, cryptoKeysId=crypto_key_ref.cryptoKeysId))
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() key_ring_ref = args.CONCEPTS.keyring.Parse() parent_ref = key_ring_ref.Parent() req = messages.CloudkmsProjectsLocationsKeyRingsCreateRequest( parent=parent_ref.RelativeName(), keyRingId=key_ring_ref.Name(), keyRing=messages.KeyRing()) return client.projects_locations_keyRings.Create(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) if not version_ref.Name(): raise exceptions.InvalidArgumentException( 'version', 'version id must be non-empty.') return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get( messages. CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest( name=version_ref.RelativeName()))
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() key_ring_ref = flags.ParseKeyRingName(args) parent_ref = flags.ParseParentFromResource(key_ring_ref) req = messages.CloudkmsProjectsLocationsKeyRingsCreateRequest( parent=parent_ref.RelativeName(), keyRingId=key_ring_ref.Name(), keyRing=messages.KeyRing()) return client.projects_locations_keyRings.Create(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) if not crypto_key_ref.Name(): raise exceptions.InvalidArgumentException( 'key', 'key id must be non-empty.') resp = client.projects_locations_keyRings_cryptoKeys.Get( messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest( name=crypto_key_ref.RelativeName())) return self._DescribeResponse(args, resp)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() key_ring_ref = flags.ParseKeyRingName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCreateRequest( projectsId=key_ring_ref.projectsId, locationsId=key_ring_ref.locationsId, keyRingId=key_ring_ref.keyRingsId) return client.projects_locations_keyRings.Create(req)
def Run(self, args): if (args.ciphertext_file == '-' and args.additional_authenticated_data_file == '-'): raise exceptions.InvalidArgumentException( '--ciphertext-file', '--ciphertext-file and --additional-authenticated-data-file cannot ' 'both read from stdin.') try: # The Encrypt API has a limit of 64K; the output ciphertext files will be # slightly larger. Check proactively (but generously) to avoid attempting # to buffer and send obviously oversized files to KMS. ciphertext = self._ReadFileOrStdin( args.ciphertext_file, max_bytes=2 * 65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read ciphertext file [{0}]: {1}'.format( args.ciphertext_file, e)) aad = None if args.additional_authenticated_data_file: try: # The Encrypt API limits the AAD to 64KiB. aad = self._ReadFileOrStdin( args.additional_authenticated_data_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read additional authenticated data file [{0}]: {1}'. format(args.additional_authenticated_data_file, e)) crypto_key_ref = flags.ParseCryptoKeyName(args) client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysDecryptRequest( name=crypto_key_ref.RelativeName()) req.decryptRequest = messages.DecryptRequest( ciphertext=ciphertext, additionalAuthenticatedData=aad) resp = client.projects_locations_keyRings_cryptoKeys.Decrypt(req) try: if resp.plaintext is None: with files.FileWriter(args.plaintext_file): # to create an empty file pass log.Print('Decrypted file is empty') else: log.WriteToFileOrStdout( args.plaintext_file, resp.plaintext, binary=True, overwrite=True) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() location_ref = args.CONCEPTS.location.Parse() request = messages.CloudkmsProjectsLocationsKeyRingsListRequest( parent=location_ref.RelativeName()) return list_pager.YieldFromList(client.projects_locations_keyRings, request, field='keyRings', limit=args.limit, batch_size_attribute='pageSize')
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() project = properties.VALUES.core.project.Get(required=True) request = messages.CloudkmsProjectsLocationsListRequest( projectsId=project) return list_pager.YieldFromList(client.projects_locations, request, field='locations', limit=args.limit, batch_size_attribute='pageSize')