4jdZddlmZddlmZddlmZddlmZddlZddlZddlZddl m Z ddl m Z dd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlm Z ddlm!Z!ddlm"Z"ddlm#Z#e jHZ%ejLrdZ'ndZ'Gdde(Z)y)z>JSON gsutil Cloud API implementation for Google Cloud Storage.)absolute_import)print_function)division)unicode_literalsN) exceptions)config)AccessDeniedException)BadRequestException)NotFoundException)PreconditionException)ServiceException)SetUpJsonCredentialsAndCache)NoOpCredentials)cloudkms_v1_client)cloudkms_v1_messages) system_util) GetCertsFile)GetMaxRetryDelay) GetNewHttp) GetNumRetrieszVInsufficient OAuth2 scope to perform this operation. Please re-run `gcloud auth login`zRInsufficient OAuth2 scope to perform this operation. Please re-run `gsutil config`cZeZdZdZd fd ZdZdZd dZdZd dZ dZ d Z d d Z xZ S)KmsApiz7Wraps calls to the Cloud KMS v1 interface via apitools.ctt| ||_t |_t |_d|_tjddd|_ tjddd}|rd|znd|_ |j|jz|jz|_ t||| |d k\}|d k\}tj |j|j|||j" |_t'|_|j(|j$_t+|_|j,|j$_t/|j"t0r|j$j3d d yy)aPerforms necessary setup for interacting with Google Cloud KMS. Args: logger: logging.logger for outputting log messages. credentials: Credentials to be used for interacting with Cloud KMS debug: Debug level for the API implementation (0..3). zhttps:// Credentials gs_kms_hostzcloudkms.googleapis.com gs_kms_portN:) credentials)urlhttp log_request log_responserkey'AIzaSyDnacJHrKma0048b13sh8cgxNUwulubmJM)superr__init__loggerr certs_filerr" http_baserget host_base host_porturl_baserapitools_client CloudkmsV1r api_clientr num_retriesrmax_retry_wait isinstancerAddGlobalParam)selfr)rdebugrr#r$ __class__s platform/gsutil/gslib/kms_api.pyr(zKmsApi.__init__:s? &$ "DK"nDO DIDNZZ } 9;DN**]M4@K,7cK'RDN^^dnn4t~~EDM v;GA:KQJL%00T]]6:ii=H>J=A=M=M ODO %D"&"2"2DOO*,D%)%8%8DOO"$""O4 oo$$ ;=5ctj|} |jjj |S#t $r}|j ||Yd}~yd}~wwxYw)N)resourcekey_name)apitools_messages>CloudkmsProjectsLocationsKeyRingsCryptoKeysGetIamPolicyRequestr2&projects_locations_keyRings_cryptoKeys GetIamPolicy TRANSLATABLE_APITOOLS_EXCEPTIONS_TranslateExceptionAndRaise)r7r?requestes r:GetKeyIamPolicyzKmsApi.GetKeyIamPolicyes\ MM$&G=ooDDl7#% += &&q8&<<=s$= A#AA#ctj|}tj||} |jjj |S#t $r}|j||Yd}~yd}~wwxYw)N)policy)r=setIamPolicyRequestr>)r@SetIamPolicyRequest>CloudkmsProjectsLocationsKeyRingsCryptoKeysSetIamPolicyRequestr2rB SetIamPolicyrDrE)r7r?rJpolicy_requestrFrGs r:SetKeyIamPolicyzKmsApi.SetKeyIamPolicyoso&::&IN MM$.JG=ooDDl7#% += &&q8&<<=s$A A:A55A:c*tjd|d|d|}tj||d|d|} |jjj |d|d|d|S#t $r}|jdk7rYd}~)d}~wwxYw)aAttempts to create the specified keyRing. Args: project: (str) The project id in which to create the keyRing and key. keyring_name: (str) The name of the keyRing, e.g. my-keyring. Note that this must be unique within the location. location: (str) The location in which to create the keyRing. Defaults to 'global'. Returns: (str) The fully-qualified name of the keyRing, e.g.: projects/my-project/locations/global/keyRings/my-keyring Raises: Translated CloudApi exception if we were unable to create the keyRing. Note that in the event of a 409 status code (resource already exists) when attempting creation, we continue and treat this as a success. z projects/z /locations/z /keyRings/)name)keyRing keyRingIdparentN)r@KeyRing.CloudkmsProjectsLocationsKeyRingsCreateRequestr2projects_locations_keyRingsCreaterD status_code)r7project keyring_namelocation keyring_msgkeyring_create_requestrGs r: CreateKeyRingzKmsApi.CreateKeyRingzs&$++ (L*+K HH"18(C E  oo11889OP6=h5A CC , #   s%A// B8B  Bcftjtjjj}tj|||} |j j j||jdd|S#t$r}|jdk7rYd}~4d}~wwxYw)aAttempts to create the specified cryptoKey. Args: keyring_fqn: (str) The fully-qualified name of the keyRing, e.g. projects/my-project/locations/global/keyRings/my-keyring. key_name: (str) The name of the desired key, e.g. my-key. Note that this must be unique within the keyRing. Returns: (str) The fully-qualified name of the cryptoKey, e.g.: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key Raises: Translated CloudApi exception if we were unable to create the cryptoKey. Note that in the event of a 409 status code (resource already exists) when attempting creation, we continue and treat this as a success. )purpose) cryptoKey cryptoKeyIdrUrVN/z /cryptoKeys/) r@ CryptoKeyPurposeValueValuesEnumENCRYPT_DECRYPT8CloudkmsProjectsLocationsKeyRingsCryptoKeysCreateRequestr2rBrZrDr[rstrip)r7 keyring_fqnr? cryptokey_msgcryptokey_create_requestrGs r:CreateCryptoKeyzKmsApi.CreateCryptoKeys$&//##::JJMM @@#+ O oo<<CC "$ "-!3!3C!8( CC , #   s%B B0B++B0c|jjtjr.|jj dt j |j||}|r|)a'Translates an HTTP exception and raises the translated or original value. Args: e: Any Exception. key_name: Optional key name in request that caused the exception. Raises: Translated CloudApi exception, or the original exception if it was not translatable. zTranslateExceptionAndRaise: %sr>)r) isEnabledForloggingDEBUGr8 traceback format_exc_TranslateApitoolsException)r7rGr?translated_exceptions r:rEz"KmsApi._TranslateExceptionAndRaisesc {{ . kk8!,,.0;;AEM<O   r;ct|tjrCt|ddr5 t j |j }d|vrd|dvr|ddSyyyy#t$rYywxYw)Ncontenterrormessage)r5apitools_exceptions HttpErrorgetattrjsonloadsry Exception)r7 http_errorjson_objs r:_GetMessageFromHttpErrorzKmsApi._GetMessageFromHttpErrors*1;;< Y - ZZ 2 23(  Y(72C%CG$Y/ /&D  .=    s1A A+*A+c |jd}|jd}|dk\r||djdd}d|zSy#t$rYywxYw)Nzwww-authenticatezscope="r"zAcceptable scopes: %s)responsefindsplitr)r7rwww_authenticate scope_idxscopess r:!_GetAcceptableScopesFromHttpErrorz(KmsApi._GetAcceptableScopesFromHttpErrorsr #,,-?@#'' 2i a!)*-33C8;&//     sAA AAct|tjrO|j|}|jdk(rt |xsd|jS|jdk(radt |vrt|xsd|jSdt |vrtt|j|j|S|jd k(rd t |vrt|xsd |jSd t |vrt|xsd |jSdt |vrtd|jSdt |vrtd|jSdt |vr+tt|j|j|St|xs|jxs||jS|jdk(r%t|xs |j|jS|jdk(r|rtd|z|jS|jdk(rt||jSt||jSy)a8Translates apitools exceptions into their gsutil equivalents. Args: e: Any exception in TRANSLATABLE_APITOOLS_EXCEPTIONS. key_name: Optional key name in request that caused the exception. Returns: CloudStorageApiServiceException for translatable exceptions, None otherwise. iz Bad Request)statusizLogin RequiredzAccess denied: login required.insufficient_scope)rbodyiz7The account for the specified project has been disabledzAccount disabled.z,Daily Limit for Unauthenticated Use Exceededz8Access denied: quota exceeded. Is your project ID valid?zUser Rate Limit Exceededz5Rate limit exceeded. Please retry this request later.zAccess Not ConfiguredzAccess Not Configured. Please go to the Google Cloud Platform Console (https://cloud.google.com/console#/project) for your project, select APIs & services, and enable the Google Cloud KMS API.irVzThe key %s already exists.iN)r5r|r}rr[r strr "_INSUFFICIENT_OAUTH2_SCOPE_MESSAGErr{r r r )r7rGr?r{s r:rvz"KmsApi._TranslateApitoolsExceptionsM!(223--a0g # #7#;m*+--9 9 ==C  s1v %&w(H'G./mm= ="SV +'0]]99!<> > ==C  DA N&w'E2E./mm= = ;s1v E&w(C(C./mm= =(3q6 1&]]$ $%A .&]] $ $ "SV +'0]]99!<> > 'w'G!))'Gx./mm= = ==C  !5AIIammLL ==C H rsE&%' >1/-1,C3PT#.2,/$7$A$A !;!!#*% &% A=VA=r;