def validate_encryption_for_read(self,
request,
prefix="x-goog-encryption"):
"""Verify that the request includes the correct encryption keys.
:param request:flask.Request the http request.
:param prefix: str the prefix shared by the encryption headers,
typically 'x-goog-encryption', but for rewrite requests it can be
'x-goog-copy-source-encryption'.
:rtype:NoneType
"""
key_header = prefix + "-key"
hash_header = prefix + "-key-sha256"
algo_header = prefix + "-algorithm"
encryption = self.metadata.get("customerEncryption")
if encryption is None:
# The object is not encrypted, no key is needed.
if request.headers.get(key_header) is None:
return
else:
# The data is not encrypted, sending an encryption key is an
# error.
testbench_utils.raise_csek_error()
# The data is encrypted, the key must be present, match, and match its
# hash.
key_header_value = request.headers.get(key_header)
hash_header_value = request.headers.get(hash_header)
algo_header_value = request.headers.get(algo_header)
testbench_utils.validate_customer_encryption_headers(
key_header_value, hash_header_value, algo_header_value)
if encryption.get("keySha256") != hash_header_value:
testbench_utils.raise_csek_error()
def _capture_customer_encryption(self, request):
"""Capture the customer-supplied encryption key, if any.
:param request:flask.Request the http request.
:rtype:NoneType
"""
if request.headers.get("x-goog-encryption-key") is None:
return
prefix = "x-goog-encryption"
key_header = prefix + "-key"
hash_header = prefix + "-key-sha256"
algo_header = prefix + "-algorithm"
key_header_value = request.headers.get(key_header)
hash_header_value = request.headers.get(hash_header)
algo_header_value = request.headers.get(algo_header)
testbench_utils.validate_customer_encryption_headers(
key_header_value, hash_header_value, algo_header_value)
self.metadata["customerEncryption"] = {
"encryptionAlgorithm": algo_header_value,
"keySha256": hash_header_value,
}