dZddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl mZddl m Z ddl mZdd l mZdd lmZdd lmZdd lmZe j,Gd de j.Zy)z@Decapsulate an input file using a key-encapsulation key version.)absolute_import)division)unicode_literals) exceptions)base)crc32c) e2e_integrity)flags)log) console_io)filesc8eZdZdZedZdZdZdZdZ y) DecapsulateaDDecapsulate an input file using a key-encapsulation key version. Decapsulates the given ciphertext file using the provided key-encapsulation key version and saves the decapsulated shared secret to the shared secret file. By default, the command performs integrity verification on data sent to and received from Cloud KMS. Use `--skip-integrity-verification` to disable integrity verification. ## EXAMPLES The following command will read the file '/tmp/my/secret.file.enc', decapsulate it using the key encapsulation CryptoKey `my-key` Version 3 and write the shared secret to '/tmp/my/secret.file.dec'. $ {command} \ --location=us-central1 \ --keyring=my-keyring \ --key=my-key \ --version=3 \ --ciphertext-file=/tmp/my/secret.file.enc \ --shared-secret-file=/tmp/my/secret.file.dec ctj|dtj|dtj|dtj|dtj |y)Nzto use for decapsulation.zto use for decapsulationzto decapsulatez to output)r AddKeyResourceFlagsAddCryptoKeyVersionFlagAddCiphertextFileFlagAddSharedSecretFileFlagAddSkipIntegrityVerification)parsers lib/surface/kms/decapsulate.pyArgszDecapsulate.Args;sS f&AB !!&*DE (89 !!&+6 &&v.c|j S)N)skip_integrity_verification)selfargss r_PerformIntegrityVerificationz)Decapsulate._PerformIntegrityVerificationCs// //rc tj|jd}tj}tj|}|j|j}|j|r/tj |}|j#|||_|S|j#||_|S#tj$r4}t j dj|j|d}~wwxYw)NT)binaryz)Failed to read ciphertext file [{0}]: {1})name) ciphertextciphertextCrc32c)r")r ReadFromFileOrStdinciphertext_filer ErrorrBadFileExceptionformat cloudkms_baseGetMessagesModuler ParseCryptoKeyVersionNameNCloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsDecapsulateRequest RelativeNamerrCrc32cDecapsulateRequestdecapsulateRequest)rrr"emessagescrypto_key_refreqciphertext_crc32cs r_CreateDecapsulateRequestz%Decapsulate._CreateDecapsulateRequestFs(11   t-j..0H44T:N  a a  ( ( * b C ))$/ -- 3'::2C ; c J (:: ; c J+ ;;(  ' ' 5 < <""A ' (((s!CD /DD c |js'tjtjt j |j |js'tjtjy)z&Verifies integrity fields in response.N) verifiedCiphertextCrc32cr $ClientSideIntegrityVerificationError'GetRequestToServerCorruptedErrorMessager Crc32cMatches sharedSecretsharedSecretCrc32c*GetResponseFromServerCorruptedErrorMessage)rr4resps r_VerifyResponseIntegrityFieldsz*Decapsulate._VerifyResponseIntegrityFieldsass  ( (  > >  ? ? A CC    1 143J3J K  > >  B B D FF Lrc|j|}tj} |jj |}|j |r|j ||tj|j|jxsddddy#tj$r}tj|Yd}~yd}~wtj $r}t#j$|d}~wwxYw)NT) overwriter private)r6r)GetClientInstance8projects_locations_keyRings_cryptoKeys_cryptoKeyVersionsrrr@r WriteToFileOrStdoutshared_secret_filer<apitools_exceptionsHttpBadRequestErrorr ProcessHttpBadRequestErrorr r&rr')rrr4clientr?errorr1s rRunzDecapsulate.Runns  ( ( .C  , , .F+  L L X X d  + +D 1 ++C6   ! !    !r   2 26..u55 ;;+  ' ' **+s$A0BC5+CC5C00C5N) __name__ __module__ __qualname____doc__ staticmethodrrr6r@rNrrrr!s00//06 F+rrN)rR __future__rrrapitools.base.pyrrIgooglecloudsdk.api_lib.cloudkmsrr)googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsrr r googlecloudsdk.corer googlecloudsdk.core.consoler googlecloudsdk.core.utilr UniverseCompatibleCommandrrTrrr_sZG&'>A(.180#2*d+$,,d+d+r