def SetKeyRingIamPolicy(key_ring_ref, policy, update_mask):
"""Set the IAM Policy attached to the named KeyRing to the given policy.
If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy!
Args:
key_ring_ref: A resources.Resource naming the KeyRing.
policy: An apitools wrapper for the IAM Policy.
update_mask: str, FieldMask represented as comma-separated field names.
Returns:
The IAM Policy.
"""
client = base.GetClientInstance()
messages = base.GetMessagesModule()
policy.version = iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION
if not update_mask:
update_mask = 'version'
elif 'version' not in update_mask:
update_mask += ',version'
req = messages.CloudkmsProjectsLocationsKeyRingsSetIamPolicyRequest(
resource=key_ring_ref.RelativeName(),
setIamPolicyRequest=messages.SetIamPolicyRequest(
policy=policy, updateMask=update_mask))
return client.projects_locations_keyRings.SetIamPolicy(req)
def Run(self, args):
# pylint: disable=line-too-long
fields_to_update = self.ProcessFlags(args)
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
version_ref = flags.ParseCryptoKeyVersionName(args)
# Try to get the cryptoKeyVersion and raise an exception if it doesn't exist.
key_version = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get(
messages
.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest(
name=version_ref.RelativeName()))
# Check that this key version's ProtectionLevel is EXTERNAL
if args.external_key_uri:
self.CheckKeyIsExternal(key_version, messages)
if args.ekm_connection_key_path:
self.CheckKeyIsExternalVpc(key_version, messages)
# Make update request
update_req = self.CreateRequest(args, messages, fields_to_update)
return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Patch(
update_req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
version_ref = flags.ParseCryptoKeyVersionName(args)
if not version_ref.Name():
raise exceptions.InvalidArgumentException(
'version', 'version id must be non-empty.')
versions = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions
version = versions.Get(
messages.
CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest(
name=version_ref.RelativeName()))
if (version.protectionLevel !=
messages.CryptoKeyVersion.ProtectionLevelValueValuesEnum.HSM):
raise exceptions.ToolException(
'Certificate chains are only available for HSM key versions.')
if (version.state == messages.CryptoKeyVersion.StateValueValuesEnum.
PENDING_GENERATION):
raise exceptions.ToolException(
'Certificate chains are unavailable until the version is generated.'
)
try:
log.WriteToFileOrStdout(
args.output_file if args.output_file else '-',
_GetCertificateChainPem(version.attestation.certChains,
args.certificate_chain_type),
overwrite=True,
binary=False)
except files.Error as e:
raise exceptions.BadFileException(e)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
key_ring_ref = flags.ParseKeyRingName(args)
return client.projects_locations_keyRings.Get(
messages.CloudkmsProjectsLocationsKeyRingsGetRequest(
name=key_ring_ref.RelativeName()))
def UpdateOthers(self, args, crypto_key, fields_to_update):
"""Updates labels, nextRotationTime, rotationPeriod, and algorithm."""
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
valid_algorithms = maps.VALID_ALGORITHMS_MAP[crypto_key.purpose]
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(
name=crypto_key_ref.RelativeName(),
cryptoKey=messages.CryptoKey(
labels=labels_util.Diff.FromUpdateArgs(args).Apply(
messages.CryptoKey.LabelsValue, crypto_key.labels).GetOrNone()))
req.updateMask = ','.join(fields_to_update)
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
if args.default_algorithm:
if args.default_algorithm not in valid_algorithms:
raise exceptions.ToolException(
'Update failed: Algorithm {algorithm} is not valid. Here are the '
'valid algorithm(s) for purpose {purpose}: {all_algorithms}'.format(
algorithm=args.default_algorithm,
purpose=crypto_key.purpose,
all_algorithms=', '.join(valid_algorithms)))
req.cryptoKey.versionTemplate = messages.CryptoKeyVersionTemplate(
algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice(
args.default_algorithm))
try:
response = client.projects_locations_keyRings_cryptoKeys.Patch(req)
except apitools_exceptions.HttpError:
return None
return response
def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = resources.REGISTRY.Create(flags.CRYPTO_KEY_COLLECTION)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest(
parent=crypto_key_ref.RelativeName())
ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions
new_version = ckv.Create(req)
if args.primary:
# TODO(b/35914817): Find a better way to parse this.
version_id = os.path.basename(new_version.name)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest(
name=crypto_key_ref.RelativeName(),
updateCryptoKeyPrimaryVersionRequest=(
messages.UpdateCryptoKeyPrimaryVersionRequest(
cryptoKeyVersionId=version_id)))
client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(
req)
return new_version
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
try:
digest = get_digest.GetDigest(args.digest_algorithm,
args.input_file)
except EnvironmentError as e:
raise exceptions.BadFileException(
'Failed to read input file [{0}]: {1}'.format(
args.input_file, e))
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long
name=flags.ParseCryptoKeyVersionName(args).RelativeName())
req.asymmetricSignRequest = messages.AsymmetricSignRequest(
digest=digest)
resp = (client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions
.AsymmetricSign(req))
try:
log.WriteToFileOrStdout(args.signature_file,
resp.signature,
overwrite=True,
binary=True,
private=True)
except files.Error as e:
raise exceptions.BadFileException(e)
def Run(self, args):
try:
ciphertext = console_io.ReadFromFileOrStdin(
args.ciphertext_file, binary=True)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read ciphertext file [{0}]: {1}'.format(
args.ciphertext_file, e))
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyVersionName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricDecryptRequest( # pylint: disable=line-too-long
name=crypto_key_ref.RelativeName())
req.asymmetricDecryptRequest = messages.AsymmetricDecryptRequest(
ciphertext=ciphertext)
resp = (
client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.
AsymmetricDecrypt(req))
try:
log.WriteToFileOrStdout(
args.plaintext_file,
resp.plaintext or '',
overwrite=True,
binary=True,
private=True)
except files.Error as e:
raise exceptions.BadFileException(e)
def Run(self, args):
req = self._CreateDecryptRequest(args)
client = cloudkms_base.GetClientInstance()
try:
resp = client.projects_locations_keyRings_cryptoKeys.Decrypt(req)
# Intercept INVALID_ARGUMENT errors related to checksum verification to
# present a user-friendly message. All other errors are surfaced as-is.
except apitools_exceptions.HttpBadRequestError as error:
e2e_integrity.ProcessHttpBadRequestError(error)
if self._PerformIntegrityVerification(args):
self._VerifyResponseIntegrityFields(req, resp)
try:
if resp.plaintext is None:
with files.FileWriter(args.plaintext_file):
# to create an empty file
pass
log.Print('Decrypted file is empty')
else:
log.WriteToFileOrStdout(args.plaintext_file,
resp.plaintext,
binary=True,
overwrite=True)
except files.Error as e:
raise exceptions.BadFileException(e)
def Run(self, args):
# Check the flags and raise an exception if any check fails.
fields_to_update = self.ProcessFlags(args)
# Try to get the cryptoKey and raise an exception if the key doesn't exist.
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
crypto_key = client.projects_locations_keyRings_cryptoKeys.Get(
messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest(
name=crypto_key_ref.RelativeName()))
# Try to update the key's primary version.
set_primary_version_succeeds = True
if args.primary_version:
response = self.UpdatePrimaryVersion(args)
if response:
crypto_key = response # If call succeeds, update the crypto_key.
else:
set_primary_version_succeeds = False
# Try other updates.
other_updates_succeed = True
if fields_to_update:
response = self.UpdateOthers(args, crypto_key, fields_to_update)
if response:
crypto_key = response # If call succeeds, update the crypto_key.
else:
other_updates_succeed = False
if (not set_primary_version_succeeds) or (not other_updates_succeed):
self.HandleErrors(args, set_primary_version_succeeds,
other_updates_succeed, fields_to_update)
else:
return crypto_key
def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions
new_ckv = ckv.Create(self._CreateCreateCKVRequest(args))
if args.primary:
version_id = new_ckv.name.split('/')[-1]
crypto_key_ref = flags.ParseCryptoKeyName(args)
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest(
name=crypto_key_ref.RelativeName(),
updateCryptoKeyPrimaryVersionRequest=(
messages.UpdateCryptoKeyPrimaryVersionRequest(
cryptoKeyVersionId=version_id)))
client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(
req)
if new_ckv.algorithm == self.GOOGLE_SYMMETRIC_ENCRYPTION:
log.err.Print(
self.SYMMETRIC_NEW_PRIMARY_MESSAGE.format(
version=version_id))
return new_ckv
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(
projectsId=crypto_key_ref.projectsId,
locationsId=crypto_key_ref.locationsId,
keyRingsId=crypto_key_ref.keyRingsId,
cryptoKeysId=crypto_key_ref.cryptoKeysId,
cryptoKey=messages.CryptoKey())
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
fields_to_update = []
if args.rotation_period is not None:
fields_to_update.append('rotationPeriod')
if args.next_rotation_time is not None:
fields_to_update.append('nextRotationTime')
if not fields_to_update:
raise exceptions.ToolException(
'At least one of --next-rotation-time or --rotation-period must be '
'specified.')
req.updateMask = ','.join(fields_to_update)
return client.projects_locations_keyRings_cryptoKeys.Patch(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
parent_ref = flags.ParseParentFromResource(crypto_key_ref)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest(
parent=parent_ref.RelativeName(),
cryptoKeyId=crypto_key_ref.Name(),
cryptoKey=messages.CryptoKey(
# TODO(b/35914817): Find a better way to get the enum value by name.
purpose=getattr(messages.CryptoKey.PurposeValueValuesEnum,
PURPOSE_MAP[args.purpose]),
labels=labels_util.UpdateLabels(
None,
messages.CryptoKey.LabelsValue,
update_labels=labels_util.GetUpdateLabelsDictFromArgs(
args))),
)
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
return client.projects_locations_keyRings_cryptoKeys.Create(req)
def _ReadOrFetchPublicKeyBytes(self, args, import_job_name):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
# If the public key was provided, read it off disk. Otherwise, fetch it from
# KMS.
public_key_bytes = None
if args.public_key_file:
try:
public_key_bytes = self._ReadFile(args.public_key_file,
max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read public key file [{0}]: {1}'.format(
args.public_key_file, e))
else:
import_job = client.projects_locations_keyRings_importJobs.Get( # pylint: disable=line-too-long
messages.CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest(
name=import_job_name))
if import_job.state != messages.ImportJob.StateValueValuesEnum.ACTIVE:
raise exceptions.BadArgumentException(
'import-job',
'Import job [{0}] is not active (state is {1}).'.format(
import_job_name, import_job.state))
public_key_bytes = import_job.publicKey.pem.encode('ascii')
return public_key_bytes
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
version_ref = flags.ParseCryptoKeyVersionName(args)
return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get(
messages.
CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest(
name=version_ref.RelativeName()))
def SetUp(self):
self.messages = cloudkms_base.GetMessagesModule()
self.mock_client = mock.Client(
apis.GetClientClass(cloudkms_base.DEFAULT_API_NAME,
cloudkms_base.DEFAULT_API_VERSION),
real_client=cloudkms_base.GetClientInstance())
self.mock_client.Mock()
self.addCleanup(self.mock_client.Unmock)
self.version_ref = GetCryptoKeyVersionRef(self._VERSION_NAME)
def TestCryptoKeyIamPermissions(crypto_key_ref, permissions):
"""Return permissions that the caller has on the named CryptoKey."""
client = base.GetClientInstance()
messages = base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysTestIamPermissionsRequest(
resource=crypto_key_ref.RelativeName(),
testIamPermissionsRequest=messages.TestIamPermissionsRequest(
permissions=permissions))
return client.projects_locations_keyRings_cryptoKeys.TestIamPermissions(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
ekm_connection_ref = args.CONCEPTS.ekm_connection.Parse()
if not ekm_connection_ref.Name():
raise exceptions.InvalidArgumentException(
'ekmconnection', 'ekmconnection id must be non-empty.')
return client.projects_locations_ekmConnections.Get(
messages.CloudkmsProjectsLocationsEkmConnectionsGetRequest(
name=ekm_connection_ref.RelativeName()))
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
key_ring_ref = flags.ParseKeyRingName(args)
if not key_ring_ref.Name():
raise exceptions.InvalidArgumentException('keyring',
'keyring id must be non-empty.')
return client.projects_locations_keyRings.Get(
messages.CloudkmsProjectsLocationsKeyRingsGetRequest(
name=key_ring_ref.RelativeName()))
def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
version_ref = flags.ParseCryptoKeyVersionName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsDestroyRequest(
name=version_ref.RelativeName())
ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions
return ckv.Destroy(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(
name=crypto_key_ref.RelativeName(),
cryptoKey=messages.CryptoKey(),
updateMask='rotationPeriod,nextRotationTime')
return client.projects_locations_keyRings_cryptoKeys.Patch(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
return client.projects_locations_keyRings_cryptoKeys.Get(
messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest(
projectsId=crypto_key_ref.projectsId,
locationsId=crypto_key_ref.locationsId,
keyRingsId=crypto_key_ref.keyRingsId,
cryptoKeysId=crypto_key_ref.cryptoKeysId))
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
key_ring_ref = args.CONCEPTS.keyring.Parse()
parent_ref = key_ring_ref.Parent()
req = messages.CloudkmsProjectsLocationsKeyRingsCreateRequest(
parent=parent_ref.RelativeName(),
keyRingId=key_ring_ref.Name(),
keyRing=messages.KeyRing())
return client.projects_locations_keyRings.Create(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
version_ref = flags.ParseCryptoKeyVersionName(args)
if not version_ref.Name():
raise exceptions.InvalidArgumentException(
'version', 'version id must be non-empty.')
return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get(
messages.
CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest(
name=version_ref.RelativeName()))
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
key_ring_ref = flags.ParseKeyRingName(args)
parent_ref = flags.ParseParentFromResource(key_ring_ref)
req = messages.CloudkmsProjectsLocationsKeyRingsCreateRequest(
parent=parent_ref.RelativeName(),
keyRingId=key_ring_ref.Name(),
keyRing=messages.KeyRing())
return client.projects_locations_keyRings.Create(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
if not crypto_key_ref.Name():
raise exceptions.InvalidArgumentException(
'key', 'key id must be non-empty.')
resp = client.projects_locations_keyRings_cryptoKeys.Get(
messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest(
name=crypto_key_ref.RelativeName()))
return self._DescribeResponse(args, resp)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
key_ring_ref = flags.ParseKeyRingName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCreateRequest(
projectsId=key_ring_ref.projectsId,
locationsId=key_ring_ref.locationsId,
keyRingId=key_ring_ref.keyRingsId)
return client.projects_locations_keyRings.Create(req)
def Run(self, args):
if (args.ciphertext_file == '-' and
args.additional_authenticated_data_file == '-'):
raise exceptions.InvalidArgumentException(
'--ciphertext-file',
'--ciphertext-file and --additional-authenticated-data-file cannot '
'both read from stdin.')
try:
# The Encrypt API has a limit of 64K; the output ciphertext files will be
# slightly larger. Check proactively (but generously) to avoid attempting
# to buffer and send obviously oversized files to KMS.
ciphertext = self._ReadFileOrStdin(
args.ciphertext_file, max_bytes=2 * 65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read ciphertext file [{0}]: {1}'.format(
args.ciphertext_file, e))
aad = None
if args.additional_authenticated_data_file:
try:
# The Encrypt API limits the AAD to 64KiB.
aad = self._ReadFileOrStdin(
args.additional_authenticated_data_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read additional authenticated data file [{0}]: {1}'.
format(args.additional_authenticated_data_file, e))
crypto_key_ref = flags.ParseCryptoKeyName(args)
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysDecryptRequest(
name=crypto_key_ref.RelativeName())
req.decryptRequest = messages.DecryptRequest(
ciphertext=ciphertext, additionalAuthenticatedData=aad)
resp = client.projects_locations_keyRings_cryptoKeys.Decrypt(req)
try:
if resp.plaintext is None:
with files.FileWriter(args.plaintext_file):
# to create an empty file
pass
log.Print('Decrypted file is empty')
else:
log.WriteToFileOrStdout(
args.plaintext_file, resp.plaintext, binary=True, overwrite=True)
except files.Error as e:
raise exceptions.BadFileException(e)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
location_ref = args.CONCEPTS.location.Parse()
request = messages.CloudkmsProjectsLocationsKeyRingsListRequest(
parent=location_ref.RelativeName())
return list_pager.YieldFromList(client.projects_locations_keyRings,
request,
field='keyRings',
limit=args.limit,
batch_size_attribute='pageSize')
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
project = properties.VALUES.core.project.Get(required=True)
request = messages.CloudkmsProjectsLocationsListRequest(
projectsId=project)
return list_pager.YieldFromList(client.projects_locations,
request,
field='locations',
limit=args.limit,
batch_size_attribute='pageSize')
