:SrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKrSSK J r SSK J r SSK Jr SSKrS r1S krS rS r"S S\ R(5r"SS\5r"SS\5r"SS\5r"SS\5rSr"SS\R4"\R6\55r"SS\5r"SS\5r"SS\5r "S S!\5r!S.S"jr""S#S$\5r#"S%S&\5r$S'r%S(r&S)r'S*r(S+r)S,r*S-r+g)/zAUtility functions for managing customer supplied encryption keys.)absolute_import)division)unicode_literalsN) exceptions) resources) console_iozHhttps://cloud.google.com/compute/docs/disks/customer-supplied-encryption>keyurikey-type,iXc\rSrSrSrSrg)Error&zFBase exception for Csek(customer supplied encryption keys) exceptions.N)__name__ __module__ __qualname____firstlineno____doc____static_attributes__r0lib/googlecloudsdk/api_lib/compute/csek_utils.pyrr&sNrrc,^\rSrSrSrU4SjrSrU=r$)InvalidKeyFileException*z!There's a problem in a CSEK file.cJ>[[U] SRU55 g)Nz{0} For information on proper key file format see: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file)superr__init__format)self base_message __class__s rr InvalidKeyFileException.__init__-s# !41 006|0DFrrrrrrrrr __classcell__r"s@rrr*s)FFrrc,^\rSrSrSrU4SjrSrU=r$)BadPatternException4z$A (e.g.) url pattern is bad and why.c>XlX l[[U]SR URUR55 g)Nz&Invalid value for [{0}] pattern: [{1}]) pattern_typepatternrr(rr)r r+r,r"s rrBadPatternException.__init__7s<$L t-077    LL r)r,r+r$r&s@rr(r(4s,rr(c,^\rSrSrSrU4SjrSrU=r$)InvalidKeyExceptionNoContext@z.Indicate that a particular key is bad and why.c>XlX l[[U]SR URUR55 g)NzInvalid key, [{0}] : {1})r issuerr/rr)r r r2r"s rr%InvalidKeyExceptionNoContext.__init__Cs9HJ &6")) HH JJ r)r2r r$r&s@rr/r/@s6rr/c,^\rSrSrSrU4SjrSrU=r$)InvalidKeyExceptionLz6Indicate that a particular key is bad, why, and where.c>XlX lX0l[[U]SR URURUR55 g)Nz"Invalid key, [{0}], for [{1}]: {2})r key_idr2rr5rr)r r r8r2r"s rrInvalidKeyException.__init__OsEHKJ t-,33 HH KK JJ r)r2r r8r$r&s@rr5r5Ls>rr5c US:a[SRU55e[U5U:wa%[USRU[U555eUSS:wa [US5eUR S5n[ R"S U5(d [US 5e[R"U5 g ![ a [US5ef=f![a*n[US RUR55eS nAff=f) zFValidateKey(s, k) returns None or raises InvalidKeyExceptionNoContext.z6ValidateKey requires expected_key_length > 1. Got {0}zTKey should contain {0} characters (including padding), but is [{1}] characters long.=z4Bad padding. Keys should end with an '=' character.asciiz"Key contains non-ascii characters.z^[a-zA-Z0-9+/=]*$zKey contains unexpected characters. Base64 encoded strings contain only letters (upper or lower case), numbers, plusses '+', slashes '/', or equality signs '='.zKey is not valid base64: [{0}].N) ValueErrorrlenr/encodeUnicodeDecodeErrorrematchbase64 b64decode TypeErrormessage)base64_encoded_stringexpected_key_lengthbase64_encoded_string_as_strts r ValidateKeyrMZs51 Mf01 33 #66 & ((.  % &)( ))2#% &@ BB.#8#?#?#H &(= > > &$ A BB = 12 . &, ... = &)00; ===s$+B<%C<C D  %DD c\rSrSrSrSr\S Sj5r\RS5r \RS5r \ S5r Srg ) CsekKeyBasez#A class representing for CSEK keys.c>[XR5S9 Xlg)N)rJ)rM GetKeyLength _key_material)r key_materials rrCsekKeyBase.__init__s 2C2C2EF%rcUS:Xa [U5$US:XaU(a [U5$[US5e[U5e)a\Make a CSEK key. Args: key_material: str, the key material for this key key_type: str, the type of this key allow_rsa_encrypted: bool, whether the key is allowed to be RSA-wrapped Returns: CsekRawKey or CsekRsaEncryptedKey derived from the given key material and type. Raises: BadKeyTypeException: if the key is not a valid key type rawz rsa-encryptedzLthis feature is only allowed in the alpha and beta versions of this command.) CsekRawKeyCsekRsaEncryptedKeyBadKeyTypeExceptionrTkey_typeallow_rsa_encrypteds rMakeKeyCsekKeyBase.MakeKeysO"5  %%?" "<00     h ''rc[S5e)Nz"GetKeyLength() must be overridden.NotImplementedErrorr s rrRCsekKeyBase.GetKeyLengths B CCrcA[S5e)NzToMessage() must be overridden.rar compute_clients r ToMessageCsekKeyBase.ToMessages ? @@rcUR$NrSrcs rrTCsekKeyBase.key_materials   rrlNF)rrrrrr staticmethodr^abcabstractmethodrRrhpropertyrTrrrrrOrOsj+&((:DDAA  rrOc$\rSrSrSrSrSrSrg)rXz!Class representing raw CSEK keys.c[$rk)BASE64_RAW_KEY_LENGTH_IN_CHARSrcs rrRCsekRawKey.GetKeyLengths ))rcZURR[UR5S9$)N)rawKeyMESSAGES_MODULECustomerEncryptionKeystrrTrfs rrhCsekRawKey.ToMessages/  ) ) ? ?4$$% @ ''rrNrrrrrrRrhrrrrrXrXs)*'rrXc$\rSrSrSrSrSrSrg)rYz+Class representing rsa encrypted CSEK keys.c[$rk)(BASE64_RSA_ENCRYPTED_KEY_LENGTH_IN_CHARSrcs rrR CsekRsaEncryptedKey.GetKeyLengths 33rcZURR[UR5S9$)N)rsaEncryptedKeyrzrfs rrhCsekRsaEncryptedKey.ToMessages/  ) ) ? ?D--. @ 00rrNrrrrrYrYs340rrYc0^\rSrSrSrSU4SjjrSrU=r$)rZzA key type is bad and why.c>XlSRUR5nU(aUSU-- nUS- n[[U]U5 g)NzInvalid key type [{0}]z: .)r\rrrZr)r r\ explanationmsgr"s rrBadKeyTypeException.__init__sGM " ) )$-- 8C TK c3JC t-c2r)r\)r$r&s@rrZrZs"33rrZc(^\rSrSrU4SjrSrU=r$)MissingCsekExceptioncJ>[[U] SRU55 g)Nz0Key required for resource [{0}], but none found.)rrrr)r resourcer"s rrMissingCsekException.__init__s" .:AA(KMrr)rrrrrrr%r&s@rrrsMMrrc URSSSRU[S9S9 U(a%URSSSS RU[S9S 9 g g ) z$Adds arguments related to csek keys.z--csek-key-fileFILEaA Path to a Customer-Supplied Encryption Key (CSEK) key file that maps Compute Engine {resource}s to user managed keys to be used when creating, mounting, or taking snapshots of disks. If you pass `-` as value of the flag, the CSEK is read from stdin. See {csek_help} for more details. )r csek_help)metavarhelpz--require-csek-key-create store_trueTa Refuse to create {resource}s not protected by a user managed key in the key file when --csek-key-file is given. This behavior is enabled by default to prevent incorrect gcloud invocations from accidentally creating {resource}s with no user managed key. Disabling the check allows creation of some {resource}s without a matching Customer-Supplied Encryption Key in the supplied --csek-key-file. See {csek_help} for more details. )actiondefaultrN) add_argumentr CSEK_HELP_URL)parserflags_about_creation resource_types rAddCsekKeyArgsrsm  &-=& A C #  FM]F C Erc*\rSrSrSrSrSrSrSrg) UriPatternzCA uri-based pattern that maybe be matched against resource objects.cURS5(d [SU5e[RR U5R 5Ulg)Nhttpr ) startswithr(rREGISTRYParseURL RelativeName_path_as_string)r path_as_strings rrUriPattern.__init__sF  $ $V , , ~ 66$--66$  rc<URUR5:H$)z*Tests if its argument matches the pattern.)rr)r rs rMatchesUriPattern.Matchess   8#8#8#: ::rc SUR-$)Nz Uri Pattern: rrcs r__str__UriPattern.__str__ s T11 11rrN) rrrrrrrrrrrrrrsK' ;2rrcj\rSrSrSr\S5r\S Sj5r\S Sj5r Sr S Sjr S Sjr S r g ) CsekKeyStoreiz0Represents a map from resource patterns to keys.c<[R"USS9nU"X25$)aFromFile loads a CsekKeyStore from a file. Args: fname: str, the name of a file intended to contain a well-formed key file allow_rsa_encrypted: bool, whether to allow keys of type 'rsa-encrypted' Returns: A CsekKeyStore, if found Raises: googlecloudsdk.core.util.files.Error: If the file cannot be read or is larger than max_bytes. F)binary)rReadFromFileOrStdin)clsfnamer]contents rFromFileCsekKeyStore.FromFiles! ,,U5AG w ,,rc^URcg[RURU5$)aFromFile attempts to load a CsekKeyStore from a command's args. Args: args: CLI args with a csek_key_file field set allow_rsa_encrypted: bool, whether to allow keys of type 'rsa-encrypted' Returns: A CsekKeyStore, if a valid key file name is provided as csek_key_file None, if args.csek_key_file is None Raises: exceptions.BadFileException: there's a problem reading fname exceptions.InvalidKeyFileException: the key file failed to parse or was otherwise invalid N) csek_key_filerr)argsr]s rFromArgsCsekKeyStore.FromArgs)s-" !   !3!35H IIrc F[U[R5(de0n[R"U5n[U[ 5(d [ S5eUHn[U[5(d.[ SR[R"U555e[UR55[:waB[ SR[R"U5SR[555e[US5n[R!USUSUS9X%'M [U[5(deU$!["a#n[%UR&XVR(S 9eS nAff=f![*an[ UR,6eS nAff=f) a_ParseAndValidate(s) inteprets s as a csek key file. Args: s: str, an input to parse allow_rsa_encrypted: bool, whether to allow RSA-wrapped keys Returns: a valid state object Raises: InvalidKeyFileException: if the input doesn't parse or is not well-formed. z1Key file's top-level element must be a JSON list.z7Key file records must be JSON objects, but [{0}] found.z4Record [{0}] has incorrect json keys; [{1}] expected,r r r r[)r r8r2N) isinstancesix string_typesjsonloadslistrdictrdumpssetkeysEXPECTED_RECORD_KEY_KEYSjoinrrOr^r/r5r r2r?r)sr]staterecords key_recordr,es r_ParseAndValidateCsekKeyStore._ParseAndValidate?s a)) * ** * E- 1 g  & &% @B B **d++'GNN**Z(*+ + z !%= ='DKK**Z(((3467 7 Z./ N&..%e,z*7M"5/7%. 0 eT " "" " L, N#gWWM M N - #QVV ,,-s<C/E?E2E? E<E77E<<E?? F  FF c,[UR5$rk)r@rrcs r__len__CsekKeyStore.__len__ss tzz?rc n[UR[5(deSn[R"UR5HRupEUR U5(dMUS(a([ SRUSU[U555eXE4nMT U(aUSc [U5eUS$)aSearch for the unique key corresponding to a given resource. Args: resource: the resource to find a key for. raise_if_missing: bool, raise an exception if the resource is not found. Returns: CsekKeyBase, corresponding to the resource, or None if not found and not raise_if_missing. Raises: InvalidKeyFileException: if there are two records matching the resource. MissingCsekException: if raise_if_missing and no key is found for the provided resource. )NNrzEUri patterns [{0}] and [{1}] both match resource [{2}]. Bailing out.r;) rrrr iteritemsrrrr}r)r rraise_if_missing search_statepatr s r LookupKeyCsekKeyStore.LookupKeyvs djj$ ' '' 'LMM$**- X   ?'..4fq/3H /78 8 z .\!_4  ** ?rc:[RUU5Ulgrk)rrr)r json_stringr]s rrCsekKeyStore.__init__s// 0CEDJr)rNrn)rrrrr classmethodrrorrrrrrrrrrrsU8 --$JJ*11f DErrc6U(aURU5$S$rk)rh)csek_key_or_nonecomputes rMaybeToMessagers0@  # #G ,JdJrcBU(aU(aURU5$grk)r)csek_keys_or_noners rMaybeLookupKeyrs8  & &x 00 rc.[X5n[X25$rk)rr)rrrg maybe_keys rMaybeLookupKeyMessagers.9)  22rcDUVs/sHn[X5PM sn$s snfrk)r)rresource_collectionrs rMaybeLookupKeysrs"8K L8K1.* .8K LL LscV[X5Vs/sHn[X25PM sn$s snfrk)rr)rrrgks rMaybeLookupKeyMessagesrs8 + A C A12. + A CC Cs&c t[UUVs/sHo3(aURU5OSPM sn5$s snfrk)rParse)rrurisus rMaybeLookupKeysByUrirs6 156A1 Q$&6 886s#5 cX[XU5Vs/sHn[XC5PM sn$s snfrk)rr)rrrrgrs rMaybeLookupKeyMessagesByUrirs: 0$ ? A ?12. + ? AA As')Tr),r __future__rrrrprErrCgooglecloudsdk.api_lib.computergooglecloudsdk.corergooglecloudsdk.core.consolerrrrrvrrrr(r/r5rMwith_metaclassABCMetaobjectrOrXrYrZrrrrrrrrrrrrrrrs/H&' 5)2 0 5!#+.(OJ  OFeF 1  #:  1 '=T0#$$S[[&90f''0+0 31 3M5ME<22"KE6KEbK3 MC 8 Ar