def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = resources.REGISTRY.Create(flags.CRYPTO_KEY_COLLECTION)
request = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsListRequest(
parent=crypto_key_ref.RelativeName())
return list_pager.YieldFromList(
client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions,
request,
field='cryptoKeyVersions',
limit=args.limit,
batch_size_attribute='pageSize')
def GetCryptoKeyIamPolicy(crypto_key_ref):
"""Fetch the IAM Policy attached to the named CryptoKey.
Args:
crypto_key_ref: A resources.Resource naming the CryptoKey.
Returns:
An apitools wrapper for the IAM Policy.
"""
client = base.GetClientInstance()
messages = base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetIamPolicyRequest(
resource=crypto_key_ref.RelativeName())
return client.projects_locations_keyRings_cryptoKeys.GetIamPolicy(req)
def Run(self, args):
if (args.plaintext_file == '-' and
args.additional_authenticated_data_file == '-'):
raise exceptions.InvalidArgumentException(
'--plaintext-file',
'--plaintext-file and --additional-authenticated-data-file cannot '
'both read from stdin.')
try:
# The Encrypt API limits the plaintext to 64KiB.
plaintext = self._ReadFileOrStdin(args.plaintext_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read plaintext file [{0}]: {1}'.format(
args.plaintext_file, e))
aad = None
if args.additional_authenticated_data_file:
try:
# The Encrypt API limits the AAD to 64KiB.
aad = self._ReadFileOrStdin(
args.additional_authenticated_data_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read additional authenticated data file [{0}]: {1}'.
format(args.additional_authenticated_data_file, e))
if args.version:
crypto_key_ref = flags.ParseCryptoKeyVersionName(args)
else:
crypto_key_ref = flags.ParseCryptoKeyName(args)
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest(
name=crypto_key_ref.RelativeName())
req.encryptRequest = messages.EncryptRequest(
plaintext=plaintext, additionalAuthenticatedData=aad)
resp = client.projects_locations_keyRings_cryptoKeys.Encrypt(req)
try:
files.WriteFileOrStdoutContents(
args.ciphertext_file, resp.ciphertext, binary=True, overwrite=True)
except files.Error as e:
raise exceptions.BadFileException(e)
def GetKeyRingIamPolicy(key_ring_ref):
"""Fetch the IAM Policy attached to the named KeyRing.
Args:
key_ring_ref: A resources.Resource naming the KeyRing.
Returns:
An apitools wrapper for the IAM Policy.
"""
client = base.GetClientInstance()
messages = base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsGetIamPolicyRequest(
options_requestedPolicyVersion=iam_util.MAX_LIBRARY_IAM_SUPPORTED_VERSION,
resource=key_ring_ref.RelativeName())
return client.projects_locations_keyRings.GetIamPolicy(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
location_ref = resources.REGISTRY.Create(
flags.LOCATION_COLLECTION,
locationsId=args.MakeGetOrRaise('--location'),
projectsId=properties.VALUES.core.project.GetOrFail)
request = messages.CloudkmsProjectsLocationsKeyRingsListRequest(
parent=location_ref.RelativeName())
return list_pager.YieldFromList(client.projects_locations_keyRings,
request,
field='keyRings',
limit=args.limit,
batch_size_attribute='pageSize')
def UpdatePrimaryVersion(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = args.CONCEPTS.key.Parse()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( # pylint: disable=line-too-long
name=crypto_key_ref.RelativeName(),
updateCryptoKeyPrimaryVersionRequest=(
messages.UpdateCryptoKeyPrimaryVersionRequest(
cryptoKeyVersionId=args.primary_version)))
try:
response = client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( # pylint: disable=line-too-long
req)
except apitools_exceptions.HttpError:
return None
return response
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
key_ring_ref = resources.REGISTRY.Create(
flags.KEY_RING_COLLECTION,
projectsId=properties.VALUES.core.project.GetOrFail)
request = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysListRequest(
parent=key_ring_ref.RelativeName())
return list_pager.YieldFromList(
client.projects_locations_keyRings_cryptoKeys,
request,
field='cryptoKeys',
limit=args.limit,
batch_size_attribute='pageSize')
def GetPublicKey(version_ref):
"""Gets the public key of a CryptoKeyVersion.
Args:
version_ref: A resources.Resource for the CryptoKeyVersion.
Returns:
The CryptoKeyVersion's PublicKey.
"""
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetPublicKeyRequest(
name=version_ref.RelativeName())
return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.GetPublicKey(
req)
def _CreateRequest(self, args):
messages = cloudkms_base.GetMessagesModule()
purpose = maps.PURPOSE_MAP[args.purpose]
valid_algorithms = maps.VALID_ALGORITHMS_MAP[purpose]
# Check default algorithm has been specified for non-symmetric-encryption
# keys. For backward compatibility, the algorithm is
# google-symmetric-encryption by default if the purpose is encryption.
if not args.default_algorithm:
if args.purpose != 'encryption':
raise kms_exceptions.ArgumentError(
'--default-algorithm needs to be specified when creating a key with'
' --purpose={}. The valid algorithms are: {}'.format(
args.purpose, ', '.join(valid_algorithms)))
args.default_algorithm = 'google-symmetric-encryption'
# Check default algorithm and purpose are compatible.
if args.default_algorithm not in valid_algorithms:
raise kms_exceptions.ArgumentError(
'Default algorithm and purpose are incompatible. Here are the valid '
'algorithms for --purpose={}: {}'.format(
args.purpose, ', '.join(valid_algorithms)))
crypto_key_ref = args.CONCEPTS.key.Parse()
parent_ref = crypto_key_ref.Parent()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest(
parent=parent_ref.RelativeName(),
cryptoKeyId=crypto_key_ref.Name(),
cryptoKey=messages.CryptoKey(
purpose=purpose,
versionTemplate=messages.CryptoKeyVersionTemplate(
protectionLevel=maps.PROTECTION_LEVEL_MAPPER.
GetEnumForChoice(args.protection_level),
algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice(
args.default_algorithm)),
labels=labels_util.ParseCreateArgs(
args, messages.CryptoKey.LabelsValue),
importOnly=args.import_only,
cryptoKeyBackend=args.crypto_key_backend),
skipInitialVersionCreation=args.skip_initial_version_creation)
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
flags.SetDestroyScheduledDuration(args, req.cryptoKey)
return req
def _CreateRequest(self, args):
messages = cloudkms_base.GetMessagesModule()
purpose = maps.PURPOSE_MAP[args.purpose]
valid_algorithms = maps.VALID_ALGORITHMS_MAP[purpose]
# Check default algorithm has been specified for asymmetric keys. For
# backward compatibility, the algorithm is google-symmetric-encryption by
# default if the purpose is encryption.
if not args.default_algorithm:
if args.purpose != 'encryption':
raise exceptions.ToolException(
'--default-algorithm needs to be specified when creating a key with'
' --purpose={}. The valid algorithms are: {}'.format(
args.purpose, ', '.join(valid_algorithms)))
args.default_algorithm = 'google-symmetric-encryption'
# Check default algorithm and purpose are compatible.
if args.default_algorithm not in valid_algorithms:
raise exceptions.ToolException(
'Default algorithm and purpose are incompatible. Here are the valid '
'algorithms for --purpose={}: {}'.format(
args.purpose, ', '.join(valid_algorithms)))
crypto_key_ref = flags.ParseCryptoKeyName(args)
parent_ref = flags.ParseParentFromResource(crypto_key_ref)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest(
parent=parent_ref.RelativeName(),
cryptoKeyId=crypto_key_ref.Name(),
cryptoKey=messages.CryptoKey(
purpose=purpose,
versionTemplate=messages.CryptoKeyVersionTemplate(
# TODO(b/35914817): Find a better way to get the enum value by
# name.
protectionLevel=maps.PROTECTION_LEVEL_MAPPER.
GetEnumForChoice(args.protection_level),
algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice(
args.default_algorithm)),
labels=labels_util.ParseCreateArgs(
args, messages.CryptoKey.LabelsValue)))
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
return req
def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions
new_ckv = ckv.Create(self._CreateCreateCKVRequest(args))
if args.primary:
version_id = new_ckv.name.split('/')[-1]
crypto_key_ref = flags.ParseCryptoKeyName(args)
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest(
name=crypto_key_ref.RelativeName(),
updateCryptoKeyPrimaryVersionRequest=(
messages.UpdateCryptoKeyPrimaryVersionRequest(
cryptoKeyVersionId=version_id)))
client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(req)
return new_ckv
def _CreateRequest(self, args):
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
parent_ref = flags.ParseParentFromResource(crypto_key_ref)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest(
parent=parent_ref.RelativeName(),
cryptoKeyId=crypto_key_ref.Name(),
cryptoKey=messages.CryptoKey(
# TODO(b/35914817): Find a better way to get the enum value by name.
purpose=maps.PURPOSE_MAP[args.purpose],
labels=labels_util.ParseCreateArgs(
args, messages.CryptoKey.LabelsValue)))
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
return req
def GetKeyRingIamPolicy(key_ring_ref):
"""Fetch the IAM Policy attached to the named KeyRing.
Args:
key_ring_ref: A resources.Resource naming the KeyRing.
Returns:
An apitools wrapper for the IAM Policy.
"""
client = base.GetClientInstance()
messages = base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsGetIamPolicyRequest(
projectsId=key_ring_ref.projectsId,
locationsId=key_ring_ref.locationsId,
keyRingsId=key_ring_ref.keyRingsId)
return client.projects_locations_keyRings.GetIamPolicy(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = args.CONCEPTS.key.Parse()
if not crypto_key_ref.Name():
raise exceptions.InvalidArgumentException(
'key', 'key id must be non-empty.')
resp = client.projects_locations_keyRings_cryptoKeys.Get(
messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest(
name=crypto_key_ref.RelativeName()))
# Suppress the attestation in the response, if there is one. Users can use
# keys versions describe --attestation-file to obtain it, instead.
if resp.primary and resp.primary.attestation:
resp.primary.attestation = None
return resp
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
version_ref = flags.ParseCryptoKeyVersionName(args)
if not version_ref.Name():
raise exceptions.InvalidArgumentException(
'version', 'version id must be non-empty.')
version = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Get( # pylint: disable=line-too-long
messages.
CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetRequest(
name=version_ref.RelativeName()))
# Raise exception if --attestation-file is provided for software
# key versions.
if (args.attestation_file and version.protectionLevel !=
messages.CryptoKeyVersion.ProtectionLevelValueValuesEnum.HSM):
raise kms_exceptions.ArgumentError(
'Attestations are only available for HSM key versions.')
if (args.attestation_file and version.state == messages.
CryptoKeyVersion.StateValueValuesEnum.PENDING_GENERATION):
raise kms_exceptions.ArgumentError(
'The attestation is unavailable until the version is generated.'
)
if args.attestation_file and version.attestation is not None:
try:
log.WriteToFileOrStdout(args.attestation_file,
version.attestation.content,
overwrite=True,
binary=True)
except files.Error as e:
raise exceptions.BadFileException(e)
if version.attestation is not None:
# Suppress the attestation content in the printed output. Users can use
# --attestation-file to obtain it, instead.
version.attestation.content = None
# Suppress the attestation content in the printed output. Users can use
# get-certificate-chain to obtain it, instead.
version.attestation.certChains = None
return version
def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
resources.REGISTRY.SetParamDefault(
'cloudkms', None, 'cryptoKeysId',
resolvers.FromArgument('--cryptokey', args.cryptokey))
version_ref = flags.ParseCryptoKeyVersionName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest(
name=version_ref.RelativeName(),
updateCryptoKeyPrimaryVersionRequest=(
messages.UpdateCryptoKeyPrimaryVersionRequest(
cryptoKeyVersionId=version_ref.cryptoKeyVersionsId)))
return client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(
req)
def UpdateOthers(self, args, crypto_key, fields_to_update):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(
name=crypto_key_ref.RelativeName(),
cryptoKey=messages.CryptoKey(
labels=labels_util.Diff.FromUpdateArgs(args).Apply(
messages.CryptoKey.LabelsValue, crypto_key.labels).GetOrNone()))
req.updateMask = ','.join(fields_to_update)
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
try:
response = client.projects_locations_keyRings_cryptoKeys.Patch(req)
except apitools_exceptions.HttpError:
return None
return response
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
parent_ref = flags.ParseKeyRingName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest(
parent=parent_ref.RelativeName(),
cryptoKeyId=crypto_key_ref.Name(),
cryptoKey=messages.CryptoKey(
# TODO(b/35914817): Find a better way to get the enum value by name.
purpose=getattr(messages.CryptoKey.PurposeValueValuesEnum,
PURPOSE_MAP[args.purpose]),),)
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
return client.projects_locations_keyRings_cryptoKeys.Create(req)
def _ReadOrFetchPublicKeyBytes(self, args, import_job_name):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
# If the public key was provided, read it off disk. Otherwise, fetch it from
# KMS.
public_key_bytes = None
if args.public_key_file:
try:
public_key_bytes = self._ReadFile(args.public_key_file,
max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read public key file [{0}]: {1}'.format(
args.public_key_file, e))
else:
import_job = client.projects_locations_keyRings_importJobs.Get( # pylint: disable=line-too-long
messages.CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest(
name=import_job_name))
public_key_bytes = import_job.publicKey.pem.encode('ascii')
return public_key_bytes
def SetCryptoKeyIamPolicy(crypto_key_ref, policy):
"""Set the IAM Policy attached to the named CryptoKey to the given policy.
If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy!
Args:
crypto_key_ref: A resources.Resource naming the CryptoKey.
policy: An apitools wrapper for the IAM Policy.
Returns:
The IAM Policy.
"""
client = base.GetClientInstance()
messages = base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysSetIamPolicyRequest(
resource=crypto_key_ref.RelativeName(),
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy))
return client.projects_locations_keyRings_cryptoKeys.SetIamPolicy(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
version_ref = flags.ParseCryptoKeyVersionName(args)
if not version_ref.Name():
raise exceptions.InvalidArgumentException(
'version', 'version id must be non-empty.')
resp = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.GetPublicKey( # pylint: disable=line-too-long
messages.
CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsGetPublicKeyRequest( # pylint: disable=line-too-long
name=version_ref.RelativeName()))
# TODO(b/72555857): Revisit this when we pull this into trunk.
log.WriteToFileOrStdout(args.output_file if args.output_file else '-',
resp.pem,
overwrite=True,
binary=False,
private=True)
def _CreateAsymmetricSignRequest(self, args):
try:
digest = get_digest.GetDigest(args.digest_algorithm, args.input_file)
except EnvironmentError as e:
raise exceptions.BadFileException(
'Failed to read input file [{0}]: {1}'.format(args.input_file, e))
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long
name=flags.ParseCryptoKeyVersionName(args).RelativeName())
if self._PerformIntegrityVerification(args):
# args.digest_algorithm has been verified in get_digest.GetDigest()
digest_crc32c = crc32c.Crc32c(getattr(digest, args.digest_algorithm))
req.asymmetricSignRequest = messages.AsymmetricSignRequest(
digest=digest, digestCrc32c=digest_crc32c)
else:
req.asymmetricSignRequest = messages.AsymmetricSignRequest(digest=digest)
return req
def SetState(version_ref, state):
"""Update the state of a CryptoKeyVersion.
Args:
version_ref: A resources.Resource for the CryptoKeyVersion.
state: an apitools enum for ENABLED or DISABLED state.
Returns:
The updated CryptoKeyVersion.
"""
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsPatchRequest( # pylint: disable=line-too-long
name=version_ref.RelativeName(),
updateMask='state',
cryptoKeyVersion=messages.CryptoKeyVersion(state=state))
return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Patch(
req)
def _CreateMacSignRequest(self, args):
try:
# The MacSign API limits the input data to 64KiB.
data = self._ReadFileOrStdin(args.input_file, max_bytes=65536)
except EnvironmentError as e:
raise exceptions.BadFileException(
'Failed to read input file [{0}]: {1}'.format(
args.input_file, e))
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsMacSignRequest( # pylint: disable=line-too-long
name=flags.ParseCryptoKeyVersionName(args).RelativeName())
if self._PerformIntegrityVerification(args):
data_crc32c = crc32c.Crc32c(data)
req.macSignRequest = messages.MacSignRequest(
data=data, dataCrc32c=data_crc32c)
else:
req.macSignRequest = messages.MacSignRequest(data=data)
return req
def _CreateCreateCKVRequest(self, args):
# pylint: disable=line-too-long
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
if args.external_key_uri and args.ekm_connection_key_path:
raise kms_exceptions.ArgumentError(
'Can not specify both --external-key-uri and '
'--ekm-connection-key-path.')
if args.external_key_uri or args.ekm_connection_key_path:
return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest(
parent=crypto_key_ref.RelativeName(),
cryptoKeyVersion=messages.CryptoKeyVersion(
externalProtectionLevelOptions=messages.
ExternalProtectionLevelOptions(
externalKeyUri=args.external_key_uri,
ekmConnectionKeyPath=args.ekm_connection_key_path)))
return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest(
parent=crypto_key_ref.RelativeName())
def Run(self, args):
if not (args.service_directory_service or args.endpoint_filter or
args.hostname or args.server_certificates_files):
raise kms_exceptions.UpdateError(
'An error occured: At least one of --service-directory-service or '
'--endpoint-filter or --hostname or --server-certificates-files '
'must be specified.')
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
ec_ref = flags.ParseEkmConnectionName(args)
# Try to get the ekmConnection and raise an exception if it doesn't exist.
ekm_connection = client.projects_locations_ekmConnections.Get(
messages.CloudkmsProjectsLocationsEkmConnectionsGetRequest(
name=ec_ref.RelativeName()))
# Make update request
update_req = self.CreateRequest(args, messages, ekm_connection)
return client.projects_locations_ekmConnections.Patch(update_req)
def _CreateAsymmetricSignRequestOnData(self, args):
"""Returns an AsymmetricSignRequest for use with a data input.
Populates an AsymmetricSignRequest with its data field populated by data
read from args.input_file. dataCrc32c is populated if integrity verification
is not skipped.
Args:
args: Input arguments.
Returns:
An AsymmetricSignRequest with data populated and dataCrc32c populated if
integrity verification is not skipped.
Raises:
exceptions.BadFileException: An error occurred reading the input file.
This can occur if the file can't be read or if the file is larger than
64 KiB.
"""
try:
# The Asymmetric Sign API limits the data input to 64KiB.
data = self._ReadBinaryFile(args.input_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read input file [{0}]: {1}'.format(
args.input_file, e))
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsAsymmetricSignRequest( # pylint: disable=line-too-long
name=flags.ParseCryptoKeyVersionName(args).RelativeName())
if self._PerformIntegrityVerification(args):
data_crc32c = crc32c.Crc32c(data)
req.asymmetricSignRequest = messages.AsymmetricSignRequest(
data=data, dataCrc32c=data_crc32c)
else:
req.asymmetricSignRequest = messages.AsymmetricSignRequest(
data=data)
return req
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
import_job_ref = flags.ParseImportJobName(args)
if not import_job_ref.Name():
raise exceptions.InvalidArgumentException(
'import_job', 'import job id must be non-empty.')
import_job = client.projects_locations_keyRings_importJobs.Get( # pylint: disable=line-too-long
messages.CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest(
name=import_job_ref.RelativeName()))
# Raise exception if --attestation-file is provided for software
# import jobs.
if (args.attestation_file and import_job.protectionLevel !=
messages.ImportJob.ProtectionLevelValueValuesEnum.HSM):
raise exceptions.ToolException(
'Attestations are only available for HSM import jobs.')
if (args.attestation_file and import_job.state == messages.ImportJob
.StateValueValuesEnum.PENDING_GENERATION):
raise exceptions.ToolException(
'The attestation is unavailable until the import job is generated.')
if args.attestation_file and import_job.attestation is not None:
try:
log.WriteToFileOrStdout(
args.attestation_file,
import_job.attestation.content,
overwrite=True,
binary=True)
except files.Error as e:
raise exceptions.BadFileException(e)
if import_job.attestation is not None:
# Suppress the attestation content in the printed output. Users can use
# --attestation-file to obtain it, instead.
import_job.attestation.content = None
return import_job
def SetKeyRingIamPolicy(key_ring_ref, policy):
"""Set the IAM Policy attached to the named KeyRing to the given policy.
If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy!
Args:
key_ring_ref: A resources.Resource naming the KeyRing.
policy: An apitools wrapper for the IAM Policy.
Returns:
The IAM Policy.
"""
client = base.GetClientInstance()
messages = base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsSetIamPolicyRequest(
projectsId=key_ring_ref.projectsId,
locationsId=key_ring_ref.locationsId,
keyRingsId=key_ring_ref.keyRingsId,
setIamPolicyRequest=messages.SetIamPolicyRequest(policy=policy))
return client.projects_locations_keyRings.SetIamPolicy(req)
def SetKeyRingIamPolicy(key_ring_ref, policy, update_mask):
"""Set the IAM Policy attached to the named KeyRing to the given policy.
If 'policy' has no etag specified, this will BLINDLY OVERWRITE the IAM policy!
Args:
key_ring_ref: A resources.Resource naming the KeyRing.
policy: An apitools wrapper for the IAM Policy.
update_mask: str, FieldMask represented as comma-separated field names.
Returns:
The IAM Policy.
"""
client = base.GetClientInstance()
messages = base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsSetIamPolicyRequest(
resource=key_ring_ref.RelativeName(),
setIamPolicyRequest=messages.SetIamPolicyRequest(
policy=policy, updateMask=update_mask))
return client.projects_locations_keyRings.SetIamPolicy(req)
