def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) return client.projects_locations_keyRings_cryptoKeys.Get( messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest( name=crypto_key_ref.RelativeName()))
def Run(self, args): messages = cloudkms_base.GetMessagesModule() policy = iam_util.ParseJsonPolicyFile(args.policy_file, messages.Policy) return iam.SetCryptoKeyIamPolicy(flags.ParseCryptoKeyName(args), policy)
def Run(self, args): messages = cloudkms_base.GetMessagesModule() policy, update_mask = iam_util.ParseYamlOrJsonPolicyFile(args.policy_file, messages.Policy) crypto_key_ref = flags.ParseCryptoKeyName(args) result = iam.SetCryptoKeyIamPolicy(crypto_key_ref, policy, update_mask) iam_util.LogSetIamPolicy(crypto_key_ref.Name(), 'key') return result
def _CreateEncryptRequest(self, args): if (args.plaintext_file == '-' and args.additional_authenticated_data_file == '-'): raise exceptions.InvalidArgumentException( '--plaintext-file', '--plaintext-file and --additional-authenticated-data-file cannot ' 'both read from stdin.') try: # The Encrypt API limits the plaintext to 64KiB. plaintext = self._ReadFileOrStdin(args.plaintext_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read plaintext file [{0}]: {1}'.format( args.plaintext_file, e)) aad = None if args.additional_authenticated_data_file: try: # The Encrypt API limits the AAD to 64KiB. aad = self._ReadFileOrStdin( args.additional_authenticated_data_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read additional authenticated data file [{0}]: {1}' .format(args.additional_authenticated_data_file, e)) if args.version: crypto_key_ref = flags.ParseCryptoKeyVersionName(args) else: crypto_key_ref = flags.ParseCryptoKeyName(args) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest( name=crypto_key_ref.RelativeName()) # Populate request integrity fields. if self._PerformIntegrityVerification(args): plaintext_crc32c = crc32c.Crc32c(plaintext) # Set checksum if AAD is not provided for simpler response verification. aad_crc32c = crc32c.Crc32c( aad) if aad is not None else crc32c.Crc32c(b'') req.encryptRequest = messages.EncryptRequest( plaintext=plaintext, additionalAuthenticatedData=aad, plaintextCrc32c=plaintext_crc32c, additionalAuthenticatedDataCrc32c=aad_crc32c) else: req.encryptRequest = messages.EncryptRequest( plaintext=plaintext, additionalAuthenticatedData=aad) return req
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest( name=crypto_key_ref.RelativeName(), cryptoKey=messages.CryptoKey(), updateMask='rotationPeriod,nextRotationTime') return client.projects_locations_keyRings_cryptoKeys.Patch(req)
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) if not crypto_key_ref.Name(): raise exceptions.InvalidArgumentException('key', 'key id must be non-empty.') return client.projects_locations_keyRings_cryptoKeys.Get( messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest( name=crypto_key_ref.RelativeName()))
def Run(self, args): if (args.ciphertext_file == '-' and args.additional_authenticated_data_file == '-'): raise exceptions.InvalidArgumentException( '--ciphertext-file', '--ciphertext-file and --additional-authenticated-data-file cannot ' 'both read from stdin.') try: # The Encrypt API has a limit of 64K; the output ciphertext files will be # slightly larger. Check proactively (but generously) to avoid attempting # to buffer and send obviously oversized files to KMS. ciphertext = self._ReadFileOrStdin( args.ciphertext_file, max_bytes=2 * 65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read ciphertext file [{0}]: {1}'.format( args.ciphertext_file, e)) aad = None if args.additional_authenticated_data_file: try: # The Encrypt API limits the AAD to 64KiB. aad = self._ReadFileOrStdin( args.additional_authenticated_data_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read additional authenticated data file [{0}]: {1}'. format(args.additional_authenticated_data_file, e)) crypto_key_ref = flags.ParseCryptoKeyName(args) client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysDecryptRequest( name=crypto_key_ref.RelativeName()) req.decryptRequest = messages.DecryptRequest( ciphertext=ciphertext, additionalAuthenticatedData=aad) resp = client.projects_locations_keyRings_cryptoKeys.Decrypt(req) try: if resp.plaintext is None: with files.FileWriter(args.plaintext_file): # to create an empty file pass log.Print('Decrypted file is empty') else: log.WriteToFileOrStdout( args.plaintext_file, resp.plaintext, binary=True, overwrite=True) except files.Error as e: raise exceptions.BadFileException(e)
def Run(self, args): if (args.plaintext_file == '-' and args.additional_authenticated_data_file == '-'): raise exceptions.InvalidArgumentException( '--plaintext-file', '--plaintext-file and --additional-authenticated-data-file cannot ' 'both read from stdin.') try: # The Encrypt API limits the plaintext to 64KiB. plaintext = self._ReadFileOrStdin(args.plaintext_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read plaintext file [{0}]: {1}'.format( args.plaintext_file, e)) aad = None if args.additional_authenticated_data_file: try: # The Encrypt API limits the AAD to 64KiB. aad = self._ReadFileOrStdin( args.additional_authenticated_data_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read additional authenticated data file [{0}]: {1}' .format(args.additional_authenticated_data_file, e)) if args.version: crypto_key_ref = flags.ParseCryptoKeyVersionName(args) else: crypto_key_ref = flags.ParseCryptoKeyName(args) client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysEncryptRequest( name=crypto_key_ref.RelativeName()) req.encryptRequest = messages.EncryptRequest( plaintext=plaintext, additionalAuthenticatedData=aad) resp = client.projects_locations_keyRings_cryptoKeys.Encrypt(req) try: log.WriteToFileOrStdout(args.ciphertext_file, resp.ciphertext, binary=True, overwrite=True) except files.Error as e: raise exceptions.BadFileException(e)
def _CreateRequest(self, args): messages = cloudkms_base.GetMessagesModule() purpose = maps.PURPOSE_MAP[args.purpose] valid_algorithms = maps.VALID_ALGORITHMS_MAP[purpose] # Check default algorithm has been specified for asymmetric keys. For # backward compatibility, the algorithm is google-symmetric-encryption by # default if the purpose is encryption. if not args.default_algorithm: if args.purpose != 'encryption': raise exceptions.ToolException( '--default-algorithm needs to be specified when creating a key with' ' --purpose={}. The valid algorithms are: {}'.format( args.purpose, ', '.join(valid_algorithms))) args.default_algorithm = 'google-symmetric-encryption' # Check default algorithm and purpose are compatible. if args.default_algorithm not in valid_algorithms: raise exceptions.ToolException( 'Default algorithm and purpose are incompatible. Here are the valid ' 'algorithms for --purpose={}: {}'.format( args.purpose, ', '.join(valid_algorithms))) # Raise exception if attestations are requested for software key. if args.attestation_file and args.protection_level != 'hsm': raise exceptions.ToolException( '--attestation-file requires --protection-level=hsm.') crypto_key_ref = flags.ParseCryptoKeyName(args) parent_ref = flags.ParseParentFromResource(crypto_key_ref) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest( parent=parent_ref.RelativeName(), cryptoKeyId=crypto_key_ref.Name(), cryptoKey=messages.CryptoKey( purpose=purpose, versionTemplate=messages.CryptoKeyVersionTemplate( # TODO(b/35914817): Find a better way to get the enum value by # name. protectionLevel=maps.PROTECTION_LEVEL_MAPPER. GetEnumForChoice(args.protection_level), algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice( args.default_algorithm)), labels=labels_util.ParseCreateArgs( args, messages.CryptoKey.LabelsValue))) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) return req
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() import_job_name = flags.ParseImportJobName(args).RelativeName() if bool(args.rsa_aes_wrapped_key_file) == bool(args.target_key_file): raise exceptions.OneOfArgumentsRequiredException( ('--target-key-file', '--rsa-aes-wrapped-key-file'), 'Either a pre-wrapped key or a key to be wrapped must be provided.') rsa_aes_wrapped_key_bytes = None if args.rsa_aes_wrapped_key_file: try: # This should be less than 64KiB. rsa_aes_wrapped_key_bytes = self._ReadFile( args.rsa_aes_wrapped_key_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read rsa_aes_wrapped_key_file [{0}]: {1}'.format( args.wrapped_target_key_file, e)) if args.target_key_file: public_key_bytes = self._ReadOrFetchPublicKeyBytes(args, import_job_name) target_key_bytes = None try: # This should be less than 64KiB. target_key_bytes = self._ReadFile( args.target_key_file, max_bytes=8192) except files.Error as e: raise exceptions.BadFileException( 'Failed to read target key file [{0}]: {1}'.format( args.target_key_file, e)) rsa_aes_wrapped_key_bytes = self._CkmRsaAesKeyWrap(public_key_bytes, target_key_bytes) # Send the request to KMS. req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsImportRequest( # pylint: disable=line-too-long parent=flags.ParseCryptoKeyName(args).RelativeName()) req.importCryptoKeyVersionRequest = messages.ImportCryptoKeyVersionRequest( algorithm=maps.ALGORITHM_MAPPER_FOR_IMPORT.GetEnumForChoice( args.algorithm), importJob=import_job_name, rsaAesWrappedKey=rsa_aes_wrapped_key_bytes) if args.version: req.importCryptoKeyVersionRequest.cryptoKeyVersion = flags.ParseCryptoKeyVersionName( args).RelativeName() return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Import( req)
def _CreateCreateCKVRequest(self, args): # pylint: disable=line-too-long messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) if args.external_key_uri: return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest( parent=crypto_key_ref.RelativeName(), cryptoKeyVersion=messages.CryptoKeyVersion( externalProtectionLevelOptions=messages. ExternalProtectionLevelOptions( externalKeyUri=args.external_key_uri))) return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest( parent=crypto_key_ref.RelativeName())
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() version_ref = flags.ParseCryptoKeyVersionName(args) key_ref = flags.ParseCryptoKeyName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( name=key_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=version_ref.cryptoKeyVersionsId))) return client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( req)
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) request = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsListRequest( parent=crypto_key_ref.RelativeName()) return list_pager.YieldFromList( client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions, request, field='cryptoKeyVersions', limit=args.limit, batch_size_attribute='pageSize')
def UpdatePrimaryVersion(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( # pylint: disable=line-too-long name=crypto_key_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=args.primary_version))) try: response = client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion( # pylint: disable=line-too-long req) except apitools_exceptions.HttpError: return None return response
def _CreateRequest(self, args): messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) parent_ref = flags.ParseParentFromResource(crypto_key_ref) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest( parent=parent_ref.RelativeName(), cryptoKeyId=crypto_key_ref.Name(), cryptoKey=messages.CryptoKey( # TODO(b/35914817): Find a better way to get the enum value by name. purpose=maps.PURPOSE_MAP[args.purpose], labels=labels_util.ParseCreateArgs( args, messages.CryptoKey.LabelsValue))) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) return req
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) if not crypto_key_ref.Name(): raise exceptions.InvalidArgumentException( 'key', 'key id must be non-empty.') resp = client.projects_locations_keyRings_cryptoKeys.Get( messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest( name=crypto_key_ref.RelativeName())) # Suppress the attestation in the response, if there is one. Users can use # keys versions describe --attestation-file to obtain it, instead. if resp.primary and resp.primary.attestation: resp.primary.attestation = None return resp
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions new_ckv = ckv.Create(self._CreateCreateCKVRequest(args)) if args.primary: version_id = new_ckv.name.split('/')[-1] crypto_key_ref = flags.ParseCryptoKeyName(args) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( name=crypto_key_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=version_id))) client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(req) return new_ckv
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) parent_ref = flags.ParseKeyRingName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequest( parent=parent_ref.RelativeName(), cryptoKeyId=crypto_key_ref.Name(), cryptoKey=messages.CryptoKey( # TODO(b/35914817): Find a better way to get the enum value by name. purpose=getattr(messages.CryptoKey.PurposeValueValuesEnum, PURPOSE_MAP[args.purpose]),),) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) return client.projects_locations_keyRings_cryptoKeys.Create(req)
def UpdateOthers(self, args, crypto_key, fields_to_update): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest( name=crypto_key_ref.RelativeName(), cryptoKey=messages.CryptoKey( labels=labels_util.Diff.FromUpdateArgs(args).Apply( messages.CryptoKey.LabelsValue, crypto_key.labels).GetOrNone())) req.updateMask = ','.join(fields_to_update) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) try: response = client.projects_locations_keyRings_cryptoKeys.Patch(req) except apitools_exceptions.HttpError: return None return response
def _CreateCreateCKVRequest(self, args): # pylint: disable=line-too-long messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) if args.external_key_uri and args.ekm_connection_key_path: raise kms_exceptions.ArgumentError( 'Can not specify both --external-key-uri and ' '--ekm-connection-key-path.') if args.external_key_uri or args.ekm_connection_key_path: return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest( parent=crypto_key_ref.RelativeName(), cryptoKeyVersion=messages.CryptoKeyVersion( externalProtectionLevelOptions=messages. ExternalProtectionLevelOptions( externalKeyUri=args.external_key_uri, ekmConnectionKeyPath=args.ekm_connection_key_path))) return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest( parent=crypto_key_ref.RelativeName())
def UpdateOthers(self, args, crypto_key, fields_to_update): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) labels_update = labels_util.Diff.FromUpdateArgs(args).Apply( messages.CryptoKey.LabelsValue, crypto_key.labels) if labels_update.needs_update: new_labels = labels_update.labels else: new_labels = crypto_key.labels req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest( name=crypto_key_ref.RelativeName(), cryptoKey=messages.CryptoKey( labels=new_labels)) req.updateMask = ','.join(fields_to_update) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) if args.default_algorithm: valid_algorithms = maps.VALID_ALGORITHMS_MAP[crypto_key.purpose] if args.default_algorithm not in valid_algorithms: raise exceptions.ToolException( 'Update failed: Algorithm {algorithm} is not valid. Here are the ' 'valid algorithm(s) for purpose {purpose}: {all_algorithms}'.format( algorithm=args.default_algorithm, purpose=crypto_key.purpose, all_algorithms=', '.join(valid_algorithms))) req.cryptoKey.versionTemplate = messages.CryptoKeyVersionTemplate( algorithm=maps.ALGORITHM_MAPPER.GetEnumForChoice( args.default_algorithm)) try: response = client.projects_locations_keyRings_cryptoKeys.Patch(req) except apitools_exceptions.HttpError: return None return response
def Run(self, args): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() ckv = client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions new_ckv = ckv.Create(self._CreateCreateCKVRequest(args)) if args.primary: version_id = new_ckv.name.split('/')[-1] crypto_key_ref = flags.ParseCryptoKeyName(args) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest( name=crypto_key_ref.RelativeName(), updateCryptoKeyPrimaryVersionRequest=( messages.UpdateCryptoKeyPrimaryVersionRequest( cryptoKeyVersionId=version_id))) client.projects_locations_keyRings_cryptoKeys.UpdatePrimaryVersion(req) if new_ckv.algorithm == self.GOOGLE_SYMMETRIC_ENCRYPTION: log.err.Print(self.SYMMETRIC_NEW_PRIMARY_MESSAGE.format(version=version_id)) return new_ckv
def UpdateOthers(self, args, crypto_key, fields_to_update): # pylint: disable=line-too-long client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest( name=crypto_key_ref.RelativeName(), cryptoKey=messages.CryptoKey(labels=labels_util.UpdateLabels( crypto_key.labels, messages.CryptoKey.LabelsValue, update_labels=labels_util.GetUpdateLabelsDictFromArgs(args), remove_labels=labels_util.GetRemoveLabelsListFromArgs(args))), ) req.updateMask = ','.join(fields_to_update) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) try: response = client.projects_locations_keyRings_cryptoKeys.Patch(req) except apitools_exceptions.HttpError: return None return response
def Run(self, args): """Updates the relevant fields (of a CryptoKey) from the flags.""" # Check the flags and raise an exception if any check fails. fields_to_update = self.ProcessFlags(args) # Try to get the cryptoKey and raise an exception if the key doesn't exist. client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) crypto_key = client.projects_locations_keyRings_cryptoKeys.Get( messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysGetRequest( name=crypto_key_ref.RelativeName())) # Try to update the key's primary version. set_primary_version_succeeds = True if args.primary_version: response = self.UpdatePrimaryVersion(args) if response: crypto_key = response # If call succeeds, update the crypto_key. else: set_primary_version_succeeds = False # Try other updates. other_updates_succeed = True if fields_to_update: response = self.UpdateOthers(args, crypto_key, fields_to_update) if response: crypto_key = response # If call succeeds, update the crypto_key. else: other_updates_succeed = False if not set_primary_version_succeeds or not other_updates_succeed: self.HandleErrors(args, set_primary_version_succeeds, other_updates_succeed, fields_to_update) else: return crypto_key
def Run(self, args): client = cloudkms_base.GetClientInstance() messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequest( name=crypto_key_ref.RelativeName(), cryptoKey=messages.CryptoKey()) flags.SetNextRotationTime(args, req.cryptoKey) flags.SetRotationPeriod(args, req.cryptoKey) fields_to_update = [] if args.rotation_period is not None: fields_to_update.append('rotationPeriod') if args.next_rotation_time is not None: fields_to_update.append('nextRotationTime') if not fields_to_update: raise exceptions.ToolException( 'At least one of --next-rotation-time or --rotation-period must be ' 'specified.') req.updateMask = ','.join(fields_to_update) return client.projects_locations_keyRings_cryptoKeys.Patch(req)
def Run(self, args): return iam.GetCryptoKeyIamPolicy(flags.ParseCryptoKeyName(args))
def _CreateCreateCKVRequest(self, args): # pylint: disable=line-too-long messages = cloudkms_base.GetMessagesModule() crypto_key_ref = flags.ParseCryptoKeyName(args) return messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsCreateRequest( parent=crypto_key_ref.RelativeName())
def Run(self, args): return iam.RemovePolicyBindingFromCryptoKey( flags.ParseCryptoKeyName(args), args.member, args.role)
def Run(self, args): crypto_key_ref = flags.ParseCryptoKeyName(args) return iam.AddPolicyBindingToCryptoKey(crypto_key_ref, args.member, args.role)
def _CreateDecryptRequest(self, args): if (args.ciphertext_file == '-' and args.additional_authenticated_data_file == '-'): raise exceptions.InvalidArgumentException( '--ciphertext-file', '--ciphertext-file and --additional-authenticated-data-file cannot ' 'both read from stdin.') try: # The Encrypt API has a limit of 64K; the output ciphertext files will be # slightly larger. Check proactively (but generously) to avoid attempting # to buffer and send obviously oversized files to KMS. ciphertext = self._ReadFileOrStdin(args.ciphertext_file, max_bytes=2 * 65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read ciphertext file [{0}]: {1}'.format( args.ciphertext_file, e)) aad = None if args.additional_authenticated_data_file: try: # The Encrypt API limits the AAD to 64KiB. aad = self._ReadFileOrStdin( args.additional_authenticated_data_file, max_bytes=65536) except files.Error as e: raise exceptions.BadFileException( 'Failed to read additional authenticated data file [{0}]: {1}' .format(args.additional_authenticated_data_file, e)) crypto_key_ref = flags.ParseCryptoKeyName(args) # Check that the key id does not include /cryptoKeyVersion/ which may occur # as encrypt command does allow version, so it is easy for user to make a # mistake here. if '/cryptoKeyVersions/' in crypto_key_ref.cryptoKeysId: raise exceptions.InvalidArgumentException( '--key', '{} includes cryptoKeyVersion which is not valid for ' 'decrypt.'.format(crypto_key_ref.cryptoKeysId)) messages = cloudkms_base.GetMessagesModule() req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysDecryptRequest( name=crypto_key_ref.RelativeName()) # Populate request integrity fields. if self._PerformIntegrityVerification(args): ciphertext_crc32c = crc32c.Crc32c(ciphertext) # Set checksum if AAD is not provided for consistency. aad_crc32c = crc32c.Crc32c( aad) if aad is not None else crc32c.Crc32c(b'') req.decryptRequest = messages.DecryptRequest( ciphertext=ciphertext, additionalAuthenticatedData=aad, ciphertextCrc32c=ciphertext_crc32c, additionalAuthenticatedDataCrc32c=aad_crc32c) else: req.decryptRequest = messages.DecryptRequest( ciphertext=ciphertext, additionalAuthenticatedData=aad) return req