dZddlmZddlmZddlmZddlmZddlZddlZddlm Z ddl Z ddl Z ddl Z ddl mZdd lmZd Zed ZGd d eZGddeZdZdZdZdZdZdZdZy)zGHelper functions for dealing with encryption keys used with cloud APIs.)absolute_import)print_function)division)unicode_literalsN)sha256)CommandException) LazyWrapperdc,tjdS)Nzqprojects/([^/]+)/locations/([a-zA-Z0-9_-]{1,63})/keyRings/([a-zA-Z0-9_-]{1,63})/cryptoKeys/([a-zA-Z0-9_-]{1,63})$)recompile0platform/gsutil/gslib/utils/encryption_helper.pyr"sBJJ; Returns a CryptoKeyWrapper for crypto_key, or None for no key.N)r)rs rCryptoKeyWrapperFromKeyr+Xs)3 * %==rc tjr!t|ts|j d}t |j ddd}|8|jtjk(r|j|k(r |jSttD]n}|dz}t |j ddt|zd}|y|jtjk(sR|j|k(sb|jcSy)a~Searches boto_config for a CSEK with the given base64-encoded SHA256 hash. Args: key_sha256: (str) Base64-encoded SHA256 hash of the AES256 encryption key. boto_config: (boto.pyami.config.Config) The boto config in which to check for a matching encryption key. Returns: (str) Base64-encoded encryption key string if a match is found, None otherwise. asciiGSUtilencryption_keyNzdecryption_key%s)sixPY3 isinstancebytesencoder+getr!rrr$rrangeMAX_DECRYPTION_KEYSstr) key_sha256 boto_config keywrapperi key_numbers rFindMatchingCSEKInBotoConfigr?]s WW j% ($$W-j&ooh 0$79* 2 22""j0   $ %aQJ("4s:"FMOJ  M$6$6 6  & &* 4  " "" &rcF|jddd}|r t|SdS)aReturns a CryptoKeyWrapper for the configured encryption key. Reads in the value of the "encryption_key" attribute in boto_config, and if present, verifies it is a valid base64-encoded string and returns a CryptoKeyWrapper for it. Args: boto_config: (boto.pyami.config.Config) The boto config in which to check for a matching encryption key. Returns: CryptoKeyWrapper for the specified encryption key, or None if no encryption key was specified in boto_config. r.r/N)r6rr;r/s rGetEncryptionKeyWrapperrBs*??8-=tD.-; . )EErctjr!t|ts|j d}t j |}t|}tj|}t j|}|jddS)Nr- r) r1r2r3r4r5base64 b64decode_CalculateSha256FromStringbinascii unhexlify b64encodereplace)csek_encryption_key decoded_bytesr: sha256_bytes sha256_base64s rr#r#ssWW )5 1/66w?""#67-)-8*##J/,""<0-   uc **rc|s td|jdrtd|ztj|std|zy)NzKMS key is empty./z5KMS key should not start with leading slash (/): "%s"zInvalid KMS key name: "%s". KMS keys should follow the format "projects//locations//keyRings//cryptoKeys/")r startswith VALID_CMEK_REmatch)keys rr%r%se . //^^C ?#E GG   s #  !#& ' (( $rcXt}|j||jS)N)rupdate hexdigest) input_string sha256_hashs rrGrGs&+ \"     rc|jddd}|r tj||S|S#tdxYw)aCReads the encryption key from boto_config and ensures it is base64-encoded. Args: boto_config: (boto.pyami.config.Config) The boto config in which to check for a matching encryption key. Returns: (str) Base64-encoded encryption key string, or None if no encryption key exists in configuration. r.r/NzConfigured encryption_key is not a valid base64 string. Please double-check your configuration and ensure the key is valid and in base64 format.)r6rErFrrAs r _GetAndVerifyBase64EncryptionKeyr\sS??8-=tD. ~&     s0 =)r __future__rrrrrErHhashlibrr sysr1gslib.exceptionrgslib.lazy_wrapperr r8rSobjectrrr+r?rBr#r%rGr\rrrrcsN&%'  ,*<= F '$v'$T> !#HF&+ (! r