def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
return client.projects_locations_keyRings_cryptoKeys.Get(
messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest(
name=crypto_key_ref.RelativeName()))
def Run(self, args):
messages = cloudkms_base.GetMessagesModule()
policy = iam_util.ParseJsonPolicyFile(args.policy_file,
messages.Policy)
return iam.SetCryptoKeyIamPolicy(flags.ParseCryptoKeyName(args),
policy)
def Run(self, args):
messages = cloudkms_base.GetMessagesModule()
policy, update_mask = iam_util.ParseYamlOrJsonPolicyFile(args.policy_file,
messages.Policy)
crypto_key_ref = flags.ParseCryptoKeyName(args)
result = iam.SetCryptoKeyIamPolicy(crypto_key_ref, policy, update_mask)
iam_util.LogSetIamPolicy(crypto_key_ref.Name(), 'key')
return result
def _CreateEncryptRequest(self, args):
if (args.plaintext_file == '-'
and args.additional_authenticated_data_file == '-'):
raise exceptions.InvalidArgumentException(
'--plaintext-file',
'--plaintext-file and --additional-authenticated-data-file cannot '
'both read from stdin.')
try:
# The Encrypt API limits the plaintext to 64KiB.
plaintext = self._ReadFileOrStdin(args.plaintext_file,
max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read plaintext file [{0}]: {1}'.format(
args.plaintext_file, e))
aad = None
if args.additional_authenticated_data_file:
try:
# The Encrypt API limits the AAD to 64KiB.
aad = self._ReadFileOrStdin(
args.additional_authenticated_data_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read additional authenticated data file [{0}]: {1}'
.format(args.additional_authenticated_data_file, e))
if args.version:
crypto_key_ref = flags.ParseCryptoKeyVersionName(args)
else:
crypto_key_ref = flags.ParseCryptoKeyName(args)
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest(
name=crypto_key_ref.RelativeName())
# Populate request integrity fields.
if self._PerformIntegrityVerification(args):
plaintext_crc32c = crc32c.Crc32c(plaintext)
# Set checksum if AAD is not provided for simpler response verification.
aad_crc32c = crc32c.Crc32c(
aad) if aad is not None else crc32c.Crc32c(b'')
req.encryptRequest = messages.EncryptRequest(
plaintext=plaintext,
additionalAuthenticatedData=aad,
plaintextCrc32c=plaintext_crc32c,
additionalAuthenticatedDataCrc32c=aad_crc32c)
else:
req.encryptRequest = messages.EncryptRequest(
plaintext=plaintext, additionalAuthenticatedData=aad)
return req
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(
name=crypto_key_ref.RelativeName(),
cryptoKey=messages.CryptoKey(),
updateMask='rotationPeriod,nextRotationTime')
return client.projects_locations_keyRings_cryptoKeys.Patch(req)
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
if not crypto_key_ref.Name():
raise exceptions.InvalidArgumentException('key',
'key id must be non-empty.')
return client.projects_locations_keyRings_cryptoKeys.Get(
messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest(
name=crypto_key_ref.RelativeName()))
def Run(self, args):
if (args.ciphertext_file == '-' and
args.additional_authenticated_data_file == '-'):
raise exceptions.InvalidArgumentException(
'--ciphertext-file',
'--ciphertext-file and --additional-authenticated-data-file cannot '
'both read from stdin.')
try:
# The Encrypt API has a limit of 64K; the output ciphertext files will be
# slightly larger. Check proactively (but generously) to avoid attempting
# to buffer and send obviously oversized files to KMS.
ciphertext = self._ReadFileOrStdin(
args.ciphertext_file, max_bytes=2 * 65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read ciphertext file [{0}]: {1}'.format(
args.ciphertext_file, e))
aad = None
if args.additional_authenticated_data_file:
try:
# The Encrypt API limits the AAD to 64KiB.
aad = self._ReadFileOrStdin(
args.additional_authenticated_data_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read additional authenticated data file [{0}]: {1}'.
format(args.additional_authenticated_data_file, e))
crypto_key_ref = flags.ParseCryptoKeyName(args)
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysDecryptRequest(
name=crypto_key_ref.RelativeName())
req.decryptRequest = messages.DecryptRequest(
ciphertext=ciphertext, additionalAuthenticatedData=aad)
resp = client.projects_locations_keyRings_cryptoKeys.Decrypt(req)
try:
if resp.plaintext is None:
with files.FileWriter(args.plaintext_file):
# to create an empty file
pass
log.Print('Decrypted file is empty')
else:
log.WriteToFileOrStdout(
args.plaintext_file, resp.plaintext, binary=True, overwrite=True)
except files.Error as e:
raise exceptions.BadFileException(e)
def Run(self, args):
if (args.plaintext_file == '-'
and args.additional_authenticated_data_file == '-'):
raise exceptions.InvalidArgumentException(
'--plaintext-file',
'--plaintext-file and --additional-authenticated-data-file cannot '
'both read from stdin.')
try:
# The Encrypt API limits the plaintext to 64KiB.
plaintext = self._ReadFileOrStdin(args.plaintext_file,
max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read plaintext file [{0}]: {1}'.format(
args.plaintext_file, e))
aad = None
if args.additional_authenticated_data_file:
try:
# The Encrypt API limits the AAD to 64KiB.
aad = self._ReadFileOrStdin(
args.additional_authenticated_data_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read additional authenticated data file [{0}]: {1}'
.format(args.additional_authenticated_data_file, e))
if args.version:
crypto_key_ref = flags.ParseCryptoKeyVersionName(args)
else:
crypto_key_ref = flags.ParseCryptoKeyName(args)
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest(
name=crypto_key_ref.RelativeName())
req.encryptRequest = messages.EncryptRequest(
plaintext=plaintext, additionalAuthenticatedData=aad)
resp = client.projects_locations_keyRings_cryptoKeys.Encrypt(req)
try:
log.WriteToFileOrStdout(args.ciphertext_file,
resp.ciphertext,
binary=True,
overwrite=True)
except files.Error as e:
raise exceptions.BadFileException(e)
def _CreateRequest(self, args):
messages = cloudkms_base.GetMessagesModule()
purpose = maps.PURPOSE_MAP[args.purpose]
valid_algorithms = maps.VALID_ALGORITHMS_MAP[purpose]
# Check default algorithm has been specified for asymmetric keys. For
# backward compatibility, the algorithm is google-symmetric-encryption by
# default if the purpose is encryption.
if not args.default_algorithm:
if args.purpose != 'encryption':
raise exceptions.ToolException(
'--default-algorithm needs to be specified when creating a key with'
' --purpose={}. The valid algorithms are: {}'.format(
args.purpose, ', '.join(valid_algorithms)))
args.default_algorithm = 'google-symmetric-encryption'
# Check default algorithm and purpose are compatible.
if args.default_algorithm not in valid_algorithms:
raise exceptions.ToolException(
'Default algorithm and purpose are incompatible. Here are the valid '
'algorithms for --purpose={}: {}'.format(
args.purpose, ', '.join(valid_algorithms)))
# Raise exception if attestations are requested for software key.
if args.attestation_file and args.protection_level != 'hsm':
raise exceptions.ToolException(
'--attestation-file requires --protection-level=hsm.')
crypto_key_ref = flags.ParseCryptoKeyName(args)
parent_ref = flags.ParseParentFromResource(crypto_key_ref)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest(
parent=parent_ref.RelativeName(),
cryptoKeyId=crypto_key_ref.Name(),
cryptoKey=messages.CryptoKey(
purpose=purpose,
versionTemplate=messages.CryptoKeyVersionTemplate(
# TODO(b/35914817): Find a better way to get the enum value by
# name.
protectionLevel=maps.PROTECTION_LEVEL_MAPPER.
GetEnumForChoice(args.protection_level),
algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice(
args.default_algorithm)),
labels=labels_util.ParseCreateArgs(
args, messages.CryptoKey.LabelsValue)))
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
return req
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
import_job_name = flags.ParseImportJobName(args).RelativeName()
if bool(args.rsa_aes_wrapped_key_file) == bool(args.target_key_file):
raise exceptions.OneOfArgumentsRequiredException(
('--target-key-file', '--rsa-aes-wrapped-key-file'),
'Either a pre-wrapped key or a key to be wrapped must be provided.')
rsa_aes_wrapped_key_bytes = None
if args.rsa_aes_wrapped_key_file:
try:
# This should be less than 64KiB.
rsa_aes_wrapped_key_bytes = self._ReadFile(
args.rsa_aes_wrapped_key_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read rsa_aes_wrapped_key_file [{0}]: {1}'.format(
args.wrapped_target_key_file, e))
if args.target_key_file:
public_key_bytes = self._ReadOrFetchPublicKeyBytes(args, import_job_name)
target_key_bytes = None
try:
# This should be less than 64KiB.
target_key_bytes = self._ReadFile(
args.target_key_file, max_bytes=8192)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read target key file [{0}]: {1}'.format(
args.target_key_file, e))
rsa_aes_wrapped_key_bytes = self._CkmRsaAesKeyWrap(public_key_bytes,
target_key_bytes)
# Send the request to KMS.
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsImportRequest( # pylint: disable=line-too-long
parent=flags.ParseCryptoKeyName(args).RelativeName())
req.importCryptoKeyVersionRequest = messages.ImportCryptoKeyVersionRequest(
algorithm=maps.ALGORITHM_MAPPER_FOR_IMPORT.GetEnumForChoice(
args.algorithm),
importJob=import_job_name,
rsaAesWrappedKey=rsa_aes_wrapped_key_bytes)
if args.version:
req.importCryptoKeyVersionRequest.cryptoKeyVersion = flags.ParseCryptoKeyVersionName(
args).RelativeName()
return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Import(
req)
def _CreateCreateCKVRequest(self, args):
# pylint: disable=line-too-long
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
if args.external_key_uri:
return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest(
parent=crypto_key_ref.RelativeName(),
cryptoKeyVersion=messages.CryptoKeyVersion(
externalProtectionLevelOptions=messages.
ExternalProtectionLevelOptions(
externalKeyUri=args.external_key_uri)))
return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest(
parent=crypto_key_ref.RelativeName())
def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
version_ref = flags.ParseCryptoKeyVersionName(args)
key_ref = flags.ParseCryptoKeyName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest(
name=key_ref.RelativeName(),
updateCryptoKeyPrimaryVersionRequest=(
messages.UpdateCryptoKeyPrimaryVersionRequest(
cryptoKeyVersionId=version_ref.cryptoKeyVersionsId)))
return client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(
req)
def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
request = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsListRequest(
parent=crypto_key_ref.RelativeName())
return list_pager.YieldFromList(
client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions,
request,
field='cryptoKeyVersions',
limit=args.limit,
batch_size_attribute='pageSize')
def UpdatePrimaryVersion(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( # pylint: disable=line-too-long
name=crypto_key_ref.RelativeName(),
updateCryptoKeyPrimaryVersionRequest=(
messages.UpdateCryptoKeyPrimaryVersionRequest(
cryptoKeyVersionId=args.primary_version)))
try:
response = client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( # pylint: disable=line-too-long
req)
except apitools_exceptions.HttpError:
return None
return response
def _CreateRequest(self, args):
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
parent_ref = flags.ParseParentFromResource(crypto_key_ref)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest(
parent=parent_ref.RelativeName(),
cryptoKeyId=crypto_key_ref.Name(),
cryptoKey=messages.CryptoKey(
# TODO(b/35914817): Find a better way to get the enum value by name.
purpose=maps.PURPOSE_MAP[args.purpose],
labels=labels_util.ParseCreateArgs(
args, messages.CryptoKey.LabelsValue)))
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
return req
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
if not crypto_key_ref.Name():
raise exceptions.InvalidArgumentException(
'key', 'key id must be non-empty.')
resp = client.projects_locations_keyRings_cryptoKeys.Get(
messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest(
name=crypto_key_ref.RelativeName()))
# Suppress the attestation in the response, if there is one. Users can use
# keys versions describe --attestation-file to obtain it, instead.
if resp.primary and resp.primary.attestation:
resp.primary.attestation = None
return resp
def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions
new_ckv = ckv.Create(self._CreateCreateCKVRequest(args))
if args.primary:
version_id = new_ckv.name.split('/')[-1]
crypto_key_ref = flags.ParseCryptoKeyName(args)
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest(
name=crypto_key_ref.RelativeName(),
updateCryptoKeyPrimaryVersionRequest=(
messages.UpdateCryptoKeyPrimaryVersionRequest(
cryptoKeyVersionId=version_id)))
client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(req)
return new_ckv
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
parent_ref = flags.ParseKeyRingName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest(
parent=parent_ref.RelativeName(),
cryptoKeyId=crypto_key_ref.Name(),
cryptoKey=messages.CryptoKey(
# TODO(b/35914817): Find a better way to get the enum value by name.
purpose=getattr(messages.CryptoKey.PurposeValueValuesEnum,
PURPOSE_MAP[args.purpose]),),)
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
return client.projects_locations_keyRings_cryptoKeys.Create(req)
def UpdateOthers(self, args, crypto_key, fields_to_update):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(
name=crypto_key_ref.RelativeName(),
cryptoKey=messages.CryptoKey(
labels=labels_util.Diff.FromUpdateArgs(args).Apply(
messages.CryptoKey.LabelsValue, crypto_key.labels).GetOrNone()))
req.updateMask = ','.join(fields_to_update)
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
try:
response = client.projects_locations_keyRings_cryptoKeys.Patch(req)
except apitools_exceptions.HttpError:
return None
return response
def _CreateCreateCKVRequest(self, args):
# pylint: disable=line-too-long
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
if args.external_key_uri and args.ekm_connection_key_path:
raise kms_exceptions.ArgumentError(
'Can not specify both --external-key-uri and '
'--ekm-connection-key-path.')
if args.external_key_uri or args.ekm_connection_key_path:
return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest(
parent=crypto_key_ref.RelativeName(),
cryptoKeyVersion=messages.CryptoKeyVersion(
externalProtectionLevelOptions=messages.
ExternalProtectionLevelOptions(
externalKeyUri=args.external_key_uri,
ekmConnectionKeyPath=args.ekm_connection_key_path)))
return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest(
parent=crypto_key_ref.RelativeName())
def UpdateOthers(self, args, crypto_key, fields_to_update):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
labels_update = labels_util.Diff.FromUpdateArgs(args).Apply(
messages.CryptoKey.LabelsValue, crypto_key.labels)
if labels_update.needs_update:
new_labels = labels_update.labels
else:
new_labels = crypto_key.labels
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(
name=crypto_key_ref.RelativeName(),
cryptoKey=messages.CryptoKey(
labels=new_labels))
req.updateMask = ','.join(fields_to_update)
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
if args.default_algorithm:
valid_algorithms = maps.VALID_ALGORITHMS_MAP[crypto_key.purpose]
if args.default_algorithm not in valid_algorithms:
raise exceptions.ToolException(
'Update failed: Algorithm {algorithm} is not valid. Here are the '
'valid algorithm(s) for purpose {purpose}: {all_algorithms}'.format(
algorithm=args.default_algorithm,
purpose=crypto_key.purpose,
all_algorithms=', '.join(valid_algorithms)))
req.cryptoKey.versionTemplate = messages.CryptoKeyVersionTemplate(
algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice(
args.default_algorithm))
try:
response = client.projects_locations_keyRings_cryptoKeys.Patch(req)
except apitools_exceptions.HttpError:
return None
return response
def Run(self, args):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions
new_ckv = ckv.Create(self._CreateCreateCKVRequest(args))
if args.primary:
version_id = new_ckv.name.split('/')[-1]
crypto_key_ref = flags.ParseCryptoKeyName(args)
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest(
name=crypto_key_ref.RelativeName(),
updateCryptoKeyPrimaryVersionRequest=(
messages.UpdateCryptoKeyPrimaryVersionRequest(
cryptoKeyVersionId=version_id)))
client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(req)
if new_ckv.algorithm == self.GOOGLE_SYMMETRIC_ENCRYPTION:
log.err.Print(self.SYMMETRIC_NEW_PRIMARY_MESSAGE.format(version=version_id))
return new_ckv
def UpdateOthers(self, args, crypto_key, fields_to_update):
# pylint: disable=line-too-long
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(
name=crypto_key_ref.RelativeName(),
cryptoKey=messages.CryptoKey(labels=labels_util.UpdateLabels(
crypto_key.labels,
messages.CryptoKey.LabelsValue,
update_labels=labels_util.GetUpdateLabelsDictFromArgs(args),
remove_labels=labels_util.GetRemoveLabelsListFromArgs(args))),
)
req.updateMask = ','.join(fields_to_update)
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
try:
response = client.projects_locations_keyRings_cryptoKeys.Patch(req)
except apitools_exceptions.HttpError:
return None
return response
def Run(self, args):
"""Updates the relevant fields (of a CryptoKey) from the flags."""
# Check the flags and raise an exception if any check fails.
fields_to_update = self.ProcessFlags(args)
# Try to get the cryptoKey and raise an exception if the key doesn't exist.
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
crypto_key = client.projects_locations_keyRings_cryptoKeys.Get(
messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest(
name=crypto_key_ref.RelativeName()))
# Try to update the key's primary version.
set_primary_version_succeeds = True
if args.primary_version:
response = self.UpdatePrimaryVersion(args)
if response:
crypto_key = response # If call succeeds, update the crypto_key.
else:
set_primary_version_succeeds = False
# Try other updates.
other_updates_succeed = True
if fields_to_update:
response = self.UpdateOthers(args, crypto_key, fields_to_update)
if response:
crypto_key = response # If call succeeds, update the crypto_key.
else:
other_updates_succeed = False
if not set_primary_version_succeeds or not other_updates_succeed:
self.HandleErrors(args, set_primary_version_succeeds,
other_updates_succeed, fields_to_update)
else:
return crypto_key
def Run(self, args):
client = cloudkms_base.GetClientInstance()
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest(
name=crypto_key_ref.RelativeName(), cryptoKey=messages.CryptoKey())
flags.SetNextRotationTime(args, req.cryptoKey)
flags.SetRotationPeriod(args, req.cryptoKey)
fields_to_update = []
if args.rotation_period is not None:
fields_to_update.append('rotationPeriod')
if args.next_rotation_time is not None:
fields_to_update.append('nextRotationTime')
if not fields_to_update:
raise exceptions.ToolException(
'At least one of --next-rotation-time or --rotation-period must be '
'specified.')
req.updateMask = ','.join(fields_to_update)
return client.projects_locations_keyRings_cryptoKeys.Patch(req)
def Run(self, args):
return iam.GetCryptoKeyIamPolicy(flags.ParseCryptoKeyName(args))
def _CreateCreateCKVRequest(self, args):
# pylint: disable=line-too-long
messages = cloudkms_base.GetMessagesModule()
crypto_key_ref = flags.ParseCryptoKeyName(args)
return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest(
parent=crypto_key_ref.RelativeName())
def Run(self, args):
return iam.RemovePolicyBindingFromCryptoKey(
flags.ParseCryptoKeyName(args), args.member, args.role)
def Run(self, args):
crypto_key_ref = flags.ParseCryptoKeyName(args)
return iam.AddPolicyBindingToCryptoKey(crypto_key_ref, args.member,
args.role)
def _CreateDecryptRequest(self, args):
if (args.ciphertext_file == '-'
and args.additional_authenticated_data_file == '-'):
raise exceptions.InvalidArgumentException(
'--ciphertext-file',
'--ciphertext-file and --additional-authenticated-data-file cannot '
'both read from stdin.')
try:
# The Encrypt API has a limit of 64K; the output ciphertext files will be
# slightly larger. Check proactively (but generously) to avoid attempting
# to buffer and send obviously oversized files to KMS.
ciphertext = self._ReadFileOrStdin(args.ciphertext_file,
max_bytes=2 * 65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read ciphertext file [{0}]: {1}'.format(
args.ciphertext_file, e))
aad = None
if args.additional_authenticated_data_file:
try:
# The Encrypt API limits the AAD to 64KiB.
aad = self._ReadFileOrStdin(
args.additional_authenticated_data_file, max_bytes=65536)
except files.Error as e:
raise exceptions.BadFileException(
'Failed to read additional authenticated data file [{0}]: {1}'
.format(args.additional_authenticated_data_file, e))
crypto_key_ref = flags.ParseCryptoKeyName(args)
# Check that the key id does not include /cryptoKeyVersion/ which may occur
# as encrypt command does allow version, so it is easy for user to make a
# mistake here.
if '/cryptoKeyVersions/' in crypto_key_ref.cryptoKeysId:
raise exceptions.InvalidArgumentException(
'--key', '{} includes cryptoKeyVersion which is not valid for '
'decrypt.'.format(crypto_key_ref.cryptoKeysId))
messages = cloudkms_base.GetMessagesModule()
req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysDecryptRequest(
name=crypto_key_ref.RelativeName())
# Populate request integrity fields.
if self._PerformIntegrityVerification(args):
ciphertext_crc32c = crc32c.Crc32c(ciphertext)
# Set checksum if AAD is not provided for consistency.
aad_crc32c = crc32c.Crc32c(
aad) if aad is not None else crc32c.Crc32c(b'')
req.decryptRequest = messages.DecryptRequest(
ciphertext=ciphertext,
additionalAuthenticatedData=aad,
ciphertextCrc32c=ciphertext_crc32c,
additionalAuthenticatedDataCrc32c=aad_crc32c)
else:
req.decryptRequest = messages.DecryptRequest(
ciphertext=ciphertext, additionalAuthenticatedData=aad)
return req
