dZddlmZddlmZddlmZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ddl m Z dd lmZdd lmZdd lmZe j&d Zd ZGddej,Zej0dgdZGddZeZdZdZej<ddZdZ dZ!ddZ"ddZ#ddZ$y) z1Utilities that support customer encryption flows.)absolute_import)division)unicode_literalsN)errors) hash_util)user_request_args_factory) properties)yaml)function_result_cachezqprojects/([^/]+)/locations/([a-zA-Z0-9_-]{1,63})/keyRings/([a-zA-Z0-9_-]{1,63})/cryptoKeys/([a-zA-Z0-9_-]{1,63})$AES256ceZdZdZdZy)KeyTypeCMEKCSEKN)__name__ __module__ __qualname__rr9lib/googlecloudsdk/command_lib/storage/encryption_util.pyrr*s $ $rr EncryptionKey)keytypesha256c$eZdZdZ ddZdZy) _KeyStoreaHolds encryption key information. Attributes: encryption_key (Optional[EncryptionKey]): The key for encryption. decryption_key_index (Dict[EncryptionKey.sha256, EncryptionKey]): Indexes keys that can be used for decryption. initialized (bool): True if encryption_key and decryption_key_index reflect the values they should based on flag and key file values. Nc6||_|xsi|_||_yN)encryption_keydecryption_key_index initialized)selfrr r!s r__init__z_KeyStore.__init__Cs!)D 4 :D"Drct||jstS|j|jk(xr4|j|jk(xr|j |j k(Sr) isinstance __class__NotImplementedrr r!)r"others r__eq__z_KeyStore.__eq__Ksa eT^^ ,  u333 . !!U%?%?? . E---r)NNF)rrr__doc__r#r)rrrrr8s#$( #rrc|stjd|jdrtjd|ztj |s$tjdj |y)Nz Key is empty./z1KMS key should not start with leading slash (/): zInvalid KMS key name: {}. KMS keys should follow the format "projects//locations//keyRings//cryptoKeys/")rError startswith _CMEK_REGEXmatchformat)raw_keys r validate_cmekr3Xsr  ,, ''  ,,J     7 # ,, !!' 22 $rcb|jd} t|tj}d}t|||S#tj $r]t |dk7rtj}tjtjtj|}Y}wxYw)zAReturns an EncryptionKey populated with information from raw_key.asciiN,)rrr)encoder3rrrr-lenrrget_base64_hash_digest_stringhashlibrbase64 b64decoder)r2 raw_key_byteskey_typers r parse_keyr?gs..)- 9'||H F 76 AA 9 7|r ||H  4 4v'' 679F 9s>A-B.-B.)maxsizec|xs2tjjjj }|siSt j |S)zReads the key store file, if it exists. Args: key_path: str | None, only provided for unit tests. Returns: The contents of the key store file, or an empty dict if the file does not exist. )r VALUESstoragekey_store_pathGetr load_path)key_pathrEs r_read_key_store_filerIws@Mz0088GGKKM.  I  ''rcXt||d}||St|j|S)aSearches for key values in flags, falling back to a file if necessary. Args: args: An object containing flag values from the command surface. key_field_name (str): Corresponds to a flag name or field name in the key file. key_store_path (str | None): The path to the key store file. Only provided if testing. Returns: The flag value associated with key_field_name, or the value contained in the key file. N)getattrrIget)argskey_field_namerEflag_keys r _get_raw_keyrPs3T>4 0(  O n - 1 1. AArci}|rB|D]=}|st|}|jtjk(s/|||j<?|S)zParses and indexes raw keys. Args: raw_keys (list[str]): The keys to index. Returns: A dict mapping key hashes to keys in raw_keys. Falsy elements of raw_keys and non-CSEKs are skipped. )r?rrrr)raw_keysindexr2rs r_index_decryption_keysrTsK %   g c W\\ !cjj  ,rc&tjryt|d|}t|ddrtj t_n|rt|t_|g}t|d|}|r||z }t|t_ dt_y)aLoads appropriate encryption and decryption keys into memory. Prefers values from flags over those from the user's key file. If _key_store is not already initialized, creates a _KeyStore instance and stores it in a global variable. Args: args: An object containing flag values from the command surface. key_store_path (str | None): The path to the key store file. Only provided if testing. Nrclear_encryption_keydecryption_keysT) _key_storer!rPrKrCLEARrr?rTr )rMrEraw_encryption_keyrRraw_decryption_keyss rinitialize_key_storer\s #D*:NK T)40 9 ? ?J )*< =J !($T+rps8&'   58H*$;bjj=>  dii ' && :[  2 B 1% (& ( B(* < %r