BdZddlmZddlmZddlmZddlmZddlZddlmZddl m Z dd l m Z dd l mZddlmcmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZdZededGddej@Z!ededGddej@Z"GddejFZ$GddejJZ&y)z"Integration tests for kms command.)absolute_import)print_function)division)unicode_literalsN)randint)mock)AccessDeniedException)PopulateProjectId) SkipForJSON) SkipForS3) SkipForXML) ObjectToURI)SetBotoConfigForTest)SetEnvironmentForTest)Retry) shim_utilOprojects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-keyz6gsutil does not support KMS operations for S3 buckets.cleZdZdZfdZeeddd dZd dZdZ d Z d Z d Z d Z xZS)TestKmsSuccessCasesz&Integration tests for the kms command.ctt| |jj t dt jjt jj|_ y)N)location) superrsetUpkms_api CreateKeyRingr testcaseKmsTestingResources KEYRING_NAMEKEYRING_LOCATION keyring_fqn)self __class__s 'platform/gsutil/gslib/tests/test_kms.pyrzTestKmsSuccessCases.setUp/sV t*,||11$$$11-->>2@D)tries timeout_secsctjjtddtddtddfz}|jj |j |}|jj|}|jr'|jj|jr'|jj||ddd|g}|r|jd|g|j|d}|j|d}|jd tdd |||jd tdd |d |y)Nr kms authorize-k-pT return_stdoutzAuthorized project z" to encrypt and decrypt with key: zProject z9 was already authorized to encrypt and decrypt with key: .)rrMUTABLE_KEY_NAME_TEMPLATErrCreateCryptoKeyr GetKeyIamPolicybindingspopSetKeyIamPolicyextend RunGsUtilassertInr )r!specified_projectkey_namekey_fqn key_policy authorize_cmdstdout1stdout2s r#DoTestAuthorizez#TestKmsSuccessCases.DoTestAuthorize9s/++EE1 wq!}gamI55Hll**4+;+;XFG--g6J      LL  *5Kw7MD"345nn]$n?Gnn]$n?GMM 4 ' +,35 MM)$/ :NN ^^  dG j  F MMNNr$rJ)__name__ __module__ __qualname____doc__rrAssertionErrorrBrHrLrOrQrSr\ __classcell__)r"s@r#rr*sN/@ qq1E2E8ND I'r$rz?These tests only check for failures when the XML API is forced.c@eZdZdZgdZdZdZdZdZdZ dZ d Z y ) #TestKmsSubcommandsFailWhenXmlForcedzETests that kms subcommands fail early when forced to use the XML API.)) Credentialsgs_oauth2_refresh_tokenN)regs_service_client_idN)regs_service_key_fileN)regs_service_key_file_passwordN)regs_access_key_iddummykey)regs_secret_access_key dummysecretrct|j5|j|dd}|jd|dddy#1swYyxYw)Nr&T)expected_status return_stderrz'The "kms" command can only be used with)rboto_config_hmac_auth_onlyr9r:)r! subcommandstderrs r#6DoTestSubcommandFailsWhenXmlForcedFromHmacInBotoConfigzZTestKmsSubcommandsFailWhenXmlForced.DoTestSubcommandFailsWhenXmlForcedFromHmacInBotoConfigs? d== >~~j!4~Pf mm=vF ? > >s 'AAc*|jgdy)N)r+rUgs://dummybucketrtrKs r#4testEncryptionFailsWhenXmlForcedFromHmacInBotoConfigzXTestKmsSubcommandsFailWhenXmlForced.testEncryptionFailsWhenXmlForcedFromHmacInBotoConfigs??13r$c8|jdddtdgy)Nr+rUr-rvrt_DUMMY_KEYNAMErKs r#9testEncryptionDashKFailsWhenXmlForcedFromHmacInBotoConfigz]TestKmsSubcommandsFailWhenXmlForced.testEncryptionDashKFailsWhenXmlForcedFromHmacInBotoConfigs ??  dN4FGIr$c*|jgdy)N)r+rUrVrvrwrKs r#9testEncryptionDashDFailsWhenXmlForcedFromHmacInBotoConfigz]TestKmsSubcommandsFailWhenXmlForced.testEncryptionDashDFailsWhenXmlForcedFromHmacInBotoConfigs??79r$c*|jgdy)N)r+rDrvrwrKs r#8testServiceaccountFailsWhenXmlForcedFromHmacInBotoConfigz\TestKmsSubcommandsFailWhenXmlForced.testServiceaccountFailsWhenXmlForcedFromHmacInBotoConfigs??57r$c8|jdddtdgy)Nr+r,r-rvrzrKs r#3testAuthorizeFailsWhenXmlForcedFromHmacInBotoConfigzWTestKmsSubcommandsFailWhenXmlForced.testAuthorizeFailsWhenXmlForcedFromHmacInBotoConfigs ??  T>3EFHr$N) r]r^r_r`rqr{rtrxr|r~rrr$r#rdrds8N <.G 3I97Hr$rdceZdZdZej dej dej dej ddZej dej dej dej ddZej dej dej dej ddZy ) TestKmsUnitTestszUnit tests for gsutil kms.Dgslib.cloud_api_delegator.CloudApiDelegator.GetProjectServiceAccountz7gslib.cloud_api_delegator.CloudApiDelegator.PatchBucket$gslib.kms_api.KmsApi.GetKeyIamPolicy$gslib.kms_api.KmsApi.SetKeyIamPolicyc  |j}g|j_d|j_|j dddt t |gd}|jd||j|jy)Ndummy@google.comr+rUr-Tr/"Setting default KMS key for bucket) rW return_valuer5 email_address RunCommandr{rYr: assertTruecalledr!mock_set_key_iam_policymock_get_key_iam_policymock_patch_bucket mock_get_project_service_accountrZrGs r#7testEncryptionSetKeySucceedsWhenUpdateKeyPolicySucceedszHTestKmsUnitTests.testEncryptionSetKeySucceedsWhenUpdateKeyPolicySucceedss""$J46((1BT$11? __ dNZ "F MM6?OO%,,-r$c  |j}td|_d|j_|j dddt dt|gd}|jd ||j|jy) NPermission deniedrr+rUr--wTr/r) rWr side_effectrrrr{rYr:rrrs r#CtestEncryptionSetKeySucceedsWhenUpdateKeyPolicyFailsWithWarningFlagzTTestKmsUnitTests.testEncryptionSetKeySucceedsWhenUpdateKeyPolicyFailsWithWarningFlags""$J*?+'BT$11? __ dNDZ "F MM6?OO%,,-r$c 8|j}td|_d|j_ |j dddt t|gd}|jdy#t$r&}|jd|jYd}~yd}~wwxYw) Nrrr+rUr-Tr/z*Did not get expected AccessDeniedException) rWr rrrrr{rYfailr:reason)r!rrrrrZrGes r#CtestEncryptionSetKeyFailsWhenUpdateKeyPolicyFailsWithoutWarningFlagzTTestKmsUnitTests.testEncryptionSetKeyFailsWhenUpdateKeyPolicyFailsWithoutWarningFlags""$J*?+'BT$11?3 ,nz"$f ii<= 3 mm'223s6A** B3BBN) r]r^r_r`rpatchrrrrr$r#rrs&" 4::LN 4::GH 4::45 4::45 .66IN .4::LN 4::GH 4::45 4::45 .66IN .4::LN 4::GH 4::45 4::45366IN 3r$rcTeZdZdZej dej dej ddZdZej dej dej ddZdZ ej dd Z y ) TestKmsUnitTestsWithShimz%Unit tests for gsutil kms using shim.rrrc ~d|j_g|j_tddg5t ddd5|j ddd d d t gd }dj|jd}|jdjtjdt |ddddddy#1swYxYw#1swYyxYw)NrGSUtiluse_gcloud_storageTruerhidden_shim_modedry_runrfake_dir(CLOUDSDK_CORE_PASS_CREDENTIALS_TO_GSUTILCLOUDSDK_ROOT_DIRr+r,r.foor-Treturn_log_handler infozRGcloud Storage Command: {} storage service-agent --project foo --authorize-cmek {}) rrr5rrrr{joinmessagesr:formatr_get_gcloud_binary_path)r!rrrmock_log_handler info_liness r#$test_shim_translates_authorize_flagsz=TestKmsUnitTestsWithShim.test_shim_translates_authorize_flagss BT$11?46((1 GHJ K 6<)"  ??5      3 ?C+DYY/88@A   11711*=~2O     K K   K Ks$CA5C5CC CCc |j}tddg5tddd5|jdddt |gd }d j |j d }|jd jtjdt ||ddddddy#1swYxYw#1swYyxYw)Nrrrrrr+rUrVTrrrzSGcloud Storage Command: {} storage buckets update --clear-default-encryption-key {} rWrrrrYrrr:rrrr!rZrrs r#)test_shim_translates_clear_encryption_keyzBTestKmsUnitTestsWithShim.test_shim_translates_clear_encryption_key&s""$J GHJ K 6<)"  ?? L$Z(89#+%YY/88@A   11711*=Z 2"#-  /  K K   K Ks#CA=B;*C;C CCc |j}~d|j_g|j_t ddg5t ddd5|j ddd d tt|gd }d j|jd}|jdjtjdtt||ddddddy#1swYxYw#1swYyxYw)Nrrrrrrr+rUrr-TrrrzQGcloud Storage Command: {} storage buckets update --default-encryption-key {} {})rWrrr5rrrr{rYrrr:rrr)r!rrrrZrrs r#*test_shim_translates_update_encryption_keyzCTestKmsUnitTestsWithShim.test_shim_translates_update_encryption_key9s""$JBT$11?46((1 GHJ K 6<)"  ?? L$n$&#+%YY/88@A   //5v11*=~Z 0"#-  /  K K   K Ks%C5BC)C5)C2 .C55C>c |j}tddg5tddd5|jddt |gd }d j |j d }|jd jtjdt ||ddddddy#1swYxYw#1swYyxYw) Nrrrrrr+rUTrrrzGcloud Storage Command: {} storage buckets describe --format=value[separator=": "](name, encryption.defaultKmsKeyName.yesno(no="No default encryption key.")) --raw {}rrs r#,test_shim_translates_displays_encryption_keyzETestKmsUnitTestsWithShim.test_shim_translates_displays_encryption_keyVs""$J GHJ K 6<)"  ?? L$z"23+NYY/88@A   y@@L#J/12<  >  K K   K Ks#CAGcloud Storage Command: {} storage service-agent --project foo) rrrrrrrr:rrr)r!rrrs r#+test_shim_translates_serviceaccount_commandzDTestKmsUnitTestsWithShim.test_shim_translates_serviceaccount_commandisCU$11? GHJ K 6<)"  ??5+J>B+DYY/88@A   #V11*=?@J L  K K   K Ks#B4A)B(B4(B1 -B44B=N) r]r^r_r`rrrrrrrrr$r#rrs- 4::LN 4::45 4::4566N8/&4::LN 4::45 4::45/66N/2>&4::LNLNLr$r)'r` __future__rrrrosrandomrunittestrgslib.cloud_apir gslib.project_idr gslib.tests.testcasetestsr)gslib.tests.testcase.integration_testcaser r r gslib.tests.utilrrYrrgslib.utils.retry_utilr gslib.utilsrr{GsUtilIntegrationTestCaserrdGsUtilUnitTestCaserShimUnitTestBaserrr$r#rs)&%' 1.''A?@012(!: CD DEg(<<gFEgT CD NO'H(*L*L'HPE'HT>3x22>3ByLx88yLr$