3zdZddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl mZ ddl mZddl mZdd l mZdd lmZe j&e j(e j*j,e j*j.e j*j0Gd d e j2Zy )z Update a key.)absolute_import)division)unicode_literals) exceptions)base)flags)maps) resource_args) labels_utilc>eZdZdZedZdZdZdZdZ dZ y) UpdateaUpdate a key. 1. Update the rotation schedule for the given key. Updates the rotation schedule for the given key. The schedule automatically creates a new primary version for the key according to `next-rotation-time` and `rotation-period` flags. Flag `next-rotation-time` must be in ISO 8601 or RFC3339 format, and `rotation-period` must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d). Key rotations performed manually via `update-primary-version` and the version `create` do not affect the stored `next-rotation-time`. 2. Remove the rotation schedule for the given key with `remove-rotation-schedule` flag. 3. Update/Remove the labels for the given key with `update-labels` and/or `remove-labels` flags. 4. Update the primary version for the given key with `primary-version` flag. 5. Update the Key Access Justifications policy for the given key with `allowed-access-reasons` flag to allow specified reasons. The key must be enrolled in Key Access Justifications to use this flag. 6. Remove the Key Access Justifications policy for the given key with `remove-key-access-justifications-policy` flag. The key must be enrolled in Key Access Justifications to use this flag. 7. Update the Key Access Justifications policy for the given key with `allowed_access_reasons` flag to allow zero access reasons. This effectively disables the key, because a policy is configured to reject all access reasons. The key must be enrolled in Key Access Justifications to use this flag. ## EXAMPLES The following command sets a 30 day rotation period for the key named `frodo` within the keyring `fellowship` and location `global` starting at the specified time: $ {command} frodo \ --location=global \ --keyring=fellowship \ --rotation-period=30d \ --next-rotation-time=2017-10-12T12:34:56.1234Z The following command removes the rotation schedule for the key named `frodo` within the keyring `fellowship` and location `global`: $ {command} frodo \ --location=global \ --keyring=fellowship \ --remove-rotation-schedule The following command updates the labels value for the key named `frodo` within the keyring `fellowship` and location `global`. If the label key does not exist at the time, it will be added: $ {command} frodo \ --location=global \ --keyring=fellowship \ --update-labels=k1=v1 The following command removes labels k1 and k2 from the key named `frodo` within the keyring `fellowship` and location `global`: $ {command} frodo \ --location=global \ --keyring=fellowship \ --remove-labels=k1,k2 The following command updates the primary version for the key named `frodo` within the keyring `fellowship` and location `global`: $ {command} frodo \ --location=global \ --keyring=fellowship \ --primary-version=1 The following command updates the default algorithm for the key named `frodo` within the keyring `fellowship` and location `global`, assuming the key originally has purpose 'asymmetric-encryption' and algorithm 'rsa-decrypt-oaep-2048-sha256': $ {command} frodo \ --location=global \ --keyring=fellowship \ --default-algorithm=rsa-decrypt-oaep-4096-sha256 The following command updates the Key Access Justifications policy for the key named `frodo` within the keyring ``fellowship'' and location ``global'' to allow only ``customer-initiated-access'' and ``google-initiated-system-operation'': $ {command} frodo \ --location=global \ --keyring=fellowship \ --allowed-access-reasons=customer-initiated-access,google-initiated-system-operation The following command removes the Key Access Justifications policy for the key named `frodo` within the keyring ``fellowship'' and location ``global'', which results in all access reasons being allowed: $ {command} frodo \ --location=global \ --keyring=fellowship \ --remove-key-access-justifications-policy The following command updates the Key Access Justifications policy for the key named `frodo` within the keyring ``fellowship'' and location ``global'' to allow only zero access reasons, effectively disabling the key: $ {command} frodo \ --location=global \ --keyring=fellowship \ --allowed-access-reasons= ctj|ddtj|tj|tj |tj |dtj|tj|tj|tj|y)NTkeyzto make primary) r AddKmsKeyResourceArgForKMSrAddRotationPeriodFlagAddNextRotationTimeFlagAddRemoveRotationScheduleFlagAddCryptoKeyPrimaryVersionFlagr AddUpdateLabelsFlagsAddDefaultAlgorithmFlagAddAllowedAccessReasonsFlag*AddRemoveKeyAccessJustificationsPolicyFlag)parsers lib/surface/kms/keys/update.pyArgsz Update.Argss,,VT5A ' !!&) ''/ ((1BC$$V, !!&) %%f- 44V<cg}tjj|}|jr|j d|j rO|j s |jrtjd|j d|j d|j r|j d|jr|j d|jr|j d|j!|jrtjd|j |jr|j d|js|stjd|S) Nlabelsz=You cannot set and remove rotation schedule at the same time.rotationPeriodnextRotationTimezversionTemplate.algorithmzNYou cannot set and remove a Key Access Justifications policy at the same time.keyAccessJustificationsPolicyaAt least one of --primary-version or --update-labels or --remove-labels or --clear-labels or --rotation-period or --next-rotation-time or --remove-rotation-schedule or --default-algorithm or --allowed-access-reasons or --remove-key-access-justifications-policy must be specified.)r DiffFromUpdateArgsMayHaveUpdatesappendremove_rotation_schedulerotation_periodnext_rotation_timekms_exceptions ArgumentErrordefault_algorithmallowed_access_reasons'remove_key_access_justifications_policyprimary_version UpdateError)selfargsfields_to_update labels_diffs r ProcessFlagszUpdate.ProcessFlagssR""11$7K!!#h' $$  !8!8** KM M./01 ./ 01 9: ##/  8 8  ( (   ##/  7 7=>   (8  & & I  rc~tj}tj}|jjj }|j |j|j|j} |jj|}|S#tj$rYywxYw)N)cryptoKeyVersionId)name$updateCryptoKeyPrimaryVersionRequest) cloudkms_baseGetClientInstanceGetMessagesModuleCONCEPTSrParseFCloudkmsProjectsLocationsKeyRingsCryptoKeysUpdatePrimaryVersionRequest RelativeName$UpdateCryptoKeyPrimaryVersionRequestr.&projects_locations_keyRings_cryptoKeysUpdatePrimaryVersionapitools_exceptions HttpError)r0r1clientmessagescrypto_key_refreqresponses rrBzUpdate.UpdatePrimaryVersions  , , .F..0H]]&&,,.N  Y Y  ( ( *  9 9#'#7#7 : 9 Z ;C >>SS h O  ( ( s B&&B<;B<c tj}tj}|jjj }t jj|j|jj|j}|jr |j}n |j}|j|j|j|} dj!|| _t%j&|| j(t%j*|| j(|j,rt.j0|j2} |j,| vrJt5j6dj9|j,|j2dj!| |j;t.j<j?|j,| j(_ |jBs t%jD|| j( |jFjI| } | S#tJjL$rYywxYw)N)r)r7 cryptoKey,zzUpdate failed: Algorithm {algorithm} is not valid. Here are the valid algorithm(s) for purpose {purpose}: {all_algorithms}z, ) algorithmpurposeall_algorithms)rM)'r9r:r;r<rr=r r"r#Apply CryptoKey LabelsValuer needs_update7CloudkmsProjectsLocationsKeyRingsCryptoKeysPatchRequestr?join updateMaskrSetNextRotationTimerKSetRotationPeriodr+r VALID_ALGORITHMS_MAPrNr)r/formatCryptoKeyVersionTemplateALGORITHM_MAPPERGetEnumForChoiceversionTemplater- SetKeyAccessJustificationsPolicyrAPatchrCrD) r0r1 crypto_keyr2rErFrG labels_update new_labelsrHvalid_algorithmsrIs r UpdateOtherszUpdate.UpdateOtherss  , , .F..0H]]&&,,.N$$33D9??&& (9(9;M!! ''j$$j  J J  ( ( *$$% K CXX./CN dCMM2 D#--0 22:3E3EF  '7 7(( IIO00"**#yy)9:JPJ<= = '/&G&G))::$$&'H''cmm#  7 7 ,,T3==A>>DDSIh O  ( ( s<II/.I/cd}|s|dz }n|jr|dz }|s$|djdj|z }n%|r#|djdj|z }tj|)aHandles various errors that may occur during any update stage. Never returns without an exception. Args: args: Input arguments. set_primary_version_succeeds: True if the primary verion is updated successfully. other_updates_succeed: True if all other updates (besides primary verions) is updated successfully. fields_to_update: A list of fields to be updated. Raises: ToolException: An exception raised when there is error during any update stage. zAn Error occurred:z) Failed to update field 'primaryVersion'.z$ Field 'primaryVersion' was updated.z Failed to update field(s) '{}'.z', 'z Field(s) '{}' were updated.)r.rZrUr)r/)r0r1set_primary_version_succeedsother_updates_succeedr2errs r HandleErrorszUpdate.HandleErrorss$ C ' 88c   33c  / 6 6 ++& '))c  + 2 2 ++& '))c  $ $S ))rc|j|}tj}tj}|jj j }|jj|j|j}d}|jr|j|}|r|}nd}d} |r|j|||}|r|}nd} |r| s|j||| |y|S)z>BBFF,,. G 01J $(  **40h  ',$!""45EFh  % '/D :-/?ArN) __name__ __module__ __qualname____doc__ staticmethodrr4rBrerjrnrrr r s8 vp = =*X$(T*>$rr N)rr __future__rrrapitools.base.pyrrCgooglecloudsdk.api_lib.cloudkmsrr9googlecloudsdk.calliopegooglecloudsdk.command_lib.kmsr)rr r $googlecloudsdk.command_lib.util.argsr UniverseCompatible ReleaseTracks ReleaseTrackALPHABETAGA UpdateCommandr rtrrrs&'>A(G0/8<T..33T5F5F5I5IpT  ppr