:dZddlmZddlmZddlmZddlZddlZddlZddlZddl m Z ddl m Z ddl mZddlZd Zhd Zd Zd ZGd de j(ZGddeZGddeZGddeZGddeZdZGddej4ej6eZGddeZGddeZGddeZ Gd d!eZ!d.d"Z"Gd#d$eZ#Gd%d&eZ$d'Z%d(Z&d)Z'd*Z(d+Z)d,Z*d-Z+y)/zAUtility functions for managing customer supplied encryption keys.)absolute_import)division)unicode_literalsN) exceptions) resources) console_iozHhttps://cloud.google.com/compute/docs/disks/customer-supplied-encryption>keyurikey-type,iXceZdZdZy)ErrorzFBase exception for Csek(customer supplied encryption keys) exceptions.N)__name__ __module__ __qualname____doc__0lib/googlecloudsdk/api_lib/compute/csek_utils.pyrr&sNrrc"eZdZdZfdZxZS)InvalidKeyFileExceptionz!There's a problem in a CSEK file.cJtt| dj|y)Nz{0} For information on proper key file format see: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file)superr__init__format)self base_message __class__s rrz InvalidKeyFileException.__init__-s# !41 006|0DFrrrrrr __classcell__rs@rrr*s)FFrrc"eZdZdZfdZxZS)BadPatternExceptionz$A (e.g.) url pattern is bad and why.c||_||_tt|dj |j|jy)Nz&Invalid value for [{0}] pattern: [{1}]) pattern_typepatternrr#rr)rr%r&rs rrzBadPatternException.__init__7s@$DDL t-077    LL rrr!s@rr#r#4s,rr#c"eZdZdZfdZxZS)InvalidKeyExceptionNoContextz.Indicate that a particular key is bad and why.c||_||_tt|dj |j|jy)NzInvalid key, [{0}] : {1})r issuerr(rr)rr r*rs rrz%InvalidKeyExceptionNoContext.__init__Cs=DHDJ &6")) HH JJ rrr!s@rr(r(@s6rr(c"eZdZdZfdZxZS)InvalidKeyExceptionz6Indicate that a particular key is bad, why, and where.c||_||_||_tt|dj |j|j|jy)Nz"Invalid key, [{0}], for [{1}]: {2})r key_idr*rr,rr)rr r.r*rs rrzInvalidKeyException.__init__OsKDHDKDJ t-,33 HH KK JJ rrr!s@rr,r,Ls>rr,c |dkrtdj|t||k7r%t|dj|t||ddk7r t|d |j d}t jd |s t|d  tj|y #t $r t|dwxYw#t$r*}t|d j|jd }~wwxYw) zFValidateKey(s, k) returns None or raises InvalidKeyExceptionNoContext.z6ValidateKey requires expected_key_length > 1. Got {0}zTKey should contain {0} characters (including padding), but is [{1}] characters long.=z4Bad padding. Keys should end with an '=' character.asciiz"Key contains non-ascii characters.z^[a-zA-Z0-9+/=]*$zKey contains unexpected characters. Base64 encoded strings contain only letters (upper or lower case), numbers, plusses '+', slashes '/', or equality signs '='.zKey is not valid base64: [{0}].N) ValueErrorrlenr(encodeUnicodeDecodeErrorrematchbase64 b64decode TypeErrormessage)base64_encoded_stringexpected_key_lengthbase64_encoded_string_as_strts r ValidateKeyrBZs21 Mf01 33 #66 & ((.  % &)( ))2#% &@ BB.#8#?#?#H &(= > &$ A BB = 12 . &, ... = &)00; ===s$(B2C 2C C>%C99C>ceZdZdZdZeddZejdZ ejdZ e dZ y) CsekKeyBasez#A class representing for CSEK keys.cHt||j||_y)N)r?)rB GetKeyLength _key_material)r key_materials rrzCsekKeyBase.__init__s $2C2C2EF%Drct|dk(r t|S|dk(r|r t|St|dt|)aMake a CSEK key. Args: key_material: str, the key material for this key key_type: str, the type of this key allow_rsa_encrypted: bool, whether the key is allowed to be RSA-wrapped Returns: CsekRawKey or CsekRsaEncryptedKey derived from the given key material and type. Raises: BadKeyTypeException: if the key is not a valid key type rawz rsa-encryptedzLthis feature is only allowed in the alpha and beta versions of this command.) CsekRawKeyCsekRsaEncryptedKeyBadKeyTypeExceptionrHkey_typeallow_rsa_encrypteds rMakeKeyzCsekKeyBase.MakeKeysO"5  %%?" "<00     h ''rctd)Nz"GetKeyLength() must be overridden.NotImplementedErrorrs rrFzCsekKeyBase.GetKeyLengths B CCrc~td)NzToMessage() must be overridden.rSrcompute_clients r ToMessagezCsekKeyBase.ToMessages ? @@rc|jSN)rGrUs rrHzCsekKeyBase.key_materials   rNF) rrrrr staticmethodrQabcabstractmethodrFrYpropertyrHrrrrDrDsj+&((:DDAA  rrDceZdZdZdZdZy)rKz!Class representing raw CSEK keys.ctSr[)BASE64_RAW_KEY_LENGTH_IN_CHARSrUs rrFzCsekRawKey.GetKeyLengths ))rc`|jjt|jS)N)rawKeyMESSAGES_MODULECustomerEncryptionKeystrrHrWs rrYzCsekRawKey.ToMessages/  ) ) ? ?4$$% @ ''rNrrrrrFrYrrrrKrKs)*'rrKceZdZdZdZdZy)rLz+Class representing rsa encrypted CSEK keys.ctSr[)(BASE64_RSA_ENCRYPTED_KEY_LENGTH_IN_CHARSrUs rrFz CsekRsaEncryptedKey.GetKeyLengths 33rc`|jjt|jS)N)rsaEncryptedKeyrfrWs rrYzCsekRsaEncryptedKey.ToMessages/  ) ) ? ?D--. @ 00rNrjrrrrLrLs340rrLc$eZdZdZdfd ZxZS)rMzA key type is bad and why.c||_dj|j}|r|d|zz }|dz }tt||y)NzInvalid key type [{0}]z: .)rOrrrMr)rrO explanationmsgrs rrzBadKeyTypeException.__init__sIDM " ) )$-- 8C TK c3JC t-c2r)rr!s@rrMrMs"33rrMceZdZfdZxZS)MissingCsekExceptioncJtt| dj|y)Nz0Key required for resource [{0}], but none found.)rrwrr)rresourcers rrzMissingCsekException.__init__s" .:AA(KMr)rrrrr r!s@rrwrwsMMrrwc |jdddj|t|r+|jdddd j|t y y ) z$Adds arguments related to csek keys.z--csek-key-fileFILEaA Path to a Customer-Supplied Encryption Key (CSEK) key file that maps Compute Engine {resource}s to user managed keys to be used when creating, mounting, or taking snapshots of disks. If you pass `-` as value of the flag, the CSEK is read from stdin. See {csek_help} for more details. )ry csek_help)metavarhelpz--require-csek-key-create store_trueTa Refuse to create {resource}s not protected by a user managed key in the key file when --csek-key-file is given. This behavior is enabled by default to prevent incorrect gcloud invocations from accidentally creating {resource}s with no user managed key. Disabling the check allows creation of some {resource}s without a matching Customer-Supplied Encryption Key in the supplied --csek-key-file. See {csek_help} for more details. )actiondefaultr~N) add_argumentr CSEK_HELP_URL)parserflags_about_creation resource_types rAddCsekKeyArgsrsm  &-=& A C #  FM]F C Erc"eZdZdZdZdZdZy) UriPatternzCA uri-based pattern that maybe be matched against resource objects.c|jds td|tjj |j |_y)Nhttpr ) startswithr#rREGISTRYParseURL RelativeName_path_as_string)rpath_as_strings rrzUriPattern.__init__sC  $ $V , ~ 66$--66$  rc<|j|jk(S)z*Tests if its argument matches the pattern.)rr)rrys rMatcheszUriPattern.Matchess   8#8#8#: ::rc d|jzS)Nz Uri Pattern: )rrUs r__str__zUriPattern.__str__ s T11 11rN)rrrrrrrrrrrrsK' ;2rrcZeZdZdZedZed dZed dZdZ d dZ d dZ y) CsekKeyStorez0Represents a map from resource patterns to keys.cBtj|d}|||S)aFromFile loads a CsekKeyStore from a file. Args: fname: str, the name of a file intended to contain a well-formed key file allow_rsa_encrypted: bool, whether to allow keys of type 'rsa-encrypted' Returns: A CsekKeyStore, if found Raises: googlecloudsdk.core.util.files.Error: If the file cannot be read or is larger than max_bytes. F)binary)rReadFromFileOrStdin)clsfnamerPcontents rFromFilezCsekKeyStore.FromFiles$ ,,U5AG w+ ,,rc\|jytj|j|S)aFromFile attempts to load a CsekKeyStore from a command's args. Args: args: CLI args with a csek_key_file field set allow_rsa_encrypted: bool, whether to allow keys of type 'rsa-encrypted' Returns: A CsekKeyStore, if a valid key file name is provided as csek_key_file None, if args.csek_key_file is None Raises: exceptions.BadFileException: there's a problem reading fname exceptions.InvalidKeyFileException: the key file failed to parse or was otherwise invalid N) csek_key_filerr)argsrPs rFromArgszCsekKeyStore.FromArgs)s-" !   !3!35H IIrc  t|tjsJi} tj|}t|t s t d|D]}t|ts-t djtj|t|jtk7rAt djtj|djtt|d} tj!|d|d|||< t|tsJ|S#t"$r'}t%|j&||j( d }~wwxYw#t*$r}t |j,d }~wwxYw) a._ParseAndValidate(s) inteprets s as a csek key file. Args: s: str, an input to parse allow_rsa_encrypted: bool, whether to allow RSA-wrapped keys Returns: a valid state object Raises: InvalidKeyFileException: if the input doesn't parse or is not well-formed. z1Key file's top-level element must be a JSON list.z7Key file records must be JSON objects, but [{0}] found.z4Record [{0}] has incorrect json keys; [{1}] expected,r r r rN)r r.r*N) isinstancesix string_typesjsonloadslistrdictrdumpssetkeysEXPECTED_RECORD_KEY_KEYSjoinrrDrQr(r,r r*r4r)srPstaterecords key_recordr&es r_ParseAndValidatezCsekKeyStore._ParseAndValidate?sy a)) ** * E- 1 g  &% @B B **d+'GNN**Z(*+ + z !%= ='DKK**Z(((3467 7 Z./ N&..%e,z*7M"5/7%. 0 eT "" " L, N#gQWWM M N - #QVV ,,-s<C!E-!D:#E-: E*"E%%E**E-- F 6FF c,t|jSr[)r5rrUs r__len__zCsekKeyStore.__len__ss tzz?rc @t|jtsJd}tj|jD]H\}}|j |s|dr(t dj|d|t|||f}J|r|d t||dS)aSearch for the unique key corresponding to a given resource. Args: resource: the resource to find a key for. raise_if_missing: bool, raise an exception if the resource is not found. Returns: CsekKeyBase, corresponding to the resource, or None if not found and not raise_if_missing. Raises: InvalidKeyFileException: if there are two records matching the resource. MissingCsekException: if raise_if_missing and no key is found for the provided resource. )NNrzEUri patterns [{0}] and [{1}] both match resource [{2}]. Bailing out.r0) rrrr iteritemsrrrrirw)rryraise_if_missing search_statepatr s r LookupKeyzCsekKeyStore.LookupKeyvs djj$ '' 'LMM$**-S X  ?'..4fq/3H /78 8 Sz .\!_4  ** ?rc:tj|||_yr[)rrr)r json_stringrPs rrzCsekKeyStore.__init__s// 0CEDJrNr\) rrrr classmethodrr]rrrrrrrrrrsU8 --$JJ*11f DErrc,|r|j|SdSr[)rY)csek_key_or_nonecomputes rMaybeToMessagers0@  # #G ,JdJrc.|r|r|j|Syr[)r)csek_keys_or_nonerys rMaybeLookupKeyrs8  & &x 00 rc2t||}t||Sr[)rr)rryrX maybe_keys rMaybeLookupKeyMessagers.9)  > 22rc@|Dcgc]}t||c}Scc}wr[)r)rresource_collectionrs rMaybeLookupKeysrs$8K L8K1.*A .8K LL LscTt||Dcgc]}t||c}Scc}wr[)rr)rrrXks rMaybeLookupKeyMessagesrs= +-@ A C A12.N + A CC Cs%c ft||Dcgc]}|r|j|ndc}Scc}wr[)rParse)rrurisus rMaybeLookupKeysByUrirs6 156A1 Q$&6 886s. cVt|||Dcgc]}t||c}Scc}wr[)rr)rrrrXrs rMaybeLookupKeyMessagesByUrirs> 0&$ ? A ?12.N + ? AA As&)Try),r __future__rrrr^r:rr8googlecloudsdk.api_lib.computergooglecloudsdk.corergooglecloudsdk.core.consolerrrrrcrmrrr#r(r,rBwith_metaclassABCMetaobjectrDrKrLrMrwrrrrrrrrrrrrrrs2H&' 5)2 0 5!#+.(OJ  OFeF 1  #:  1 '=T0$#$$S[[&90f''0+0 31 3M5ME<22"KE6KEbK3 MC 8 Ar