SrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKrSSK r SSK J r SSK J r SSK J r SS KJr SS KJr SS KJr \ R&"S 5rS r"SS\R,5r\R0"S/SQ5r"SS5r\"5rSrSr\R<"SS9S5rSr Sr!SSjr"SSjr#SSjr$g) z1Utilities that support customer encryption flows.)absolute_import)division)unicode_literalsN)errors) hash_util)user_request_args_factory) properties)yaml)function_result_cachezqprojects/([^/]+)/locations/([a-zA-Z0-9_-]{1,63})/keyRings/([a-zA-Z0-9_-]{1,63})/cryptoKeys/([a-zA-Z0-9_-]{1,63})$AES256c\rSrSrSrSrSrg)KeyType*CMEKCSEKN)__name__ __module__ __qualname____firstlineno__rr__static_attributes__r9lib/googlecloudsdk/command_lib/storage/encryption_util.pyrr*s $ $rr EncryptionKey)keytypesha256c.\rSrSrSrSSjrSrSrg) _KeyStore8auHolds encryption key information. Attributes: encryption_key (Optional[EncryptionKey]): The key for encryption. decryption_key_index (Dict[EncryptionKey.sha256, EncryptionKey]): Indexes keys that can be used for decryption. initialized (bool): True if encryption_key and decryption_key_index reflect the values they should based on flag and key file values. Nc<XlU=(d 0UlX0lgN)encryption_keydecryption_key_index initialized)selfr#r$r%s r__init___KeyStore.__init__Cs) 4 :D"rc[XR5(d[$URUR:H=(a9 URUR:H=(a UR UR :H$r") isinstance __class__NotImplementedr#r$r%)r&others r__eq___KeyStore.__eq__Ksb e^^ , ,  u333 . !!U%?%?? . E---r)r$r#r%)NNF)rrrr__doc__r'r.rrrrrr8s#$( #rrcU(d[R"S5eURS5(a[R"SU-5e[R U5(d%[R"SR U55eg)Nz Key is empty./z1KMS key should not start with leading slash (/): zInvalid KMS key name: {}. KMS keys should follow the format "projects//locations//keyRings//cryptoKeys/")rError startswith _CMEK_REGEXmatchformat)raw_keys r validate_cmekr9Xsx  ,, ''  ,,J     7 # # ,, !!' 22 $rcdURS5n[U5 [RnSn[XUS9$![R aa [ U5S:wae[Rn[R"[R"[R"U555nN~f=f)zAReturns an EncryptionKey populated with information from raw_key.asciiN,)rrr)encoder9rrrr3lenrrget_base64_hash_digest_stringhashlibrbase64 b64decoder)r8 raw_key_byteskey_typers r parse_keyrEgs..)- 9'||H F 7 AA 9 7|r ||H  4 4v'' 679F 9s:A2B/.B/)maxsizecU=(d2 [RRRR 5nU(d0$[ R "U5$)zReads the key store file, if it exists. Args: key_path: str | None, only provided for unit tests. Returns: The contents of the key store file, or an empty dict if the file does not exist. )r VALUESstoragekey_store_pathGetr load_path)key_pathrKs r_read_key_store_filerOws@Mz0088GGKKM.  I  ''rcX[XS5nUbU$[U5RU5$)aSearches for key values in flags, falling back to a file if necessary. Args: args: An object containing flag values from the command surface. key_field_name (str): Corresponds to a flag name or field name in the key file. key_store_path (str | None): The path to the key store file. Only provided if testing. Returns: The flag value associated with key_field_name, or the value contained in the key file. N)getattrrOget)argskey_field_namerKflag_keys r _get_raw_keyrVs1T4 0(  O n - 1 1. AArc0nU(aKUHEnU(dM [U5nUR[R:XdM7X1UR'MG U$)zParses and indexes raw keys. Args: raw_keys (list[str]): The keys to index. Returns: A dict mapping key hashes to keys in raw_keys. Falsy elements of raw_keys and non-CSEKs are skipped. )rErrrr)raw_keysindexr8rs r_index_decryption_keysrZsI %   g c W\\ !cjj  ,rcL[R(ag[USU5n[USS5(a[R [lOU(a[U5[lU/n[USU5nU(aX4- n[U5[l S[lg)aLoads appropriate encryption and decryption keys into memory. Prefers values from flags over those from the user's key file. If _key_store is not already initialized, creates a _KeyStore instance and stores it in a global variable. Args: args: An object containing flag values from the command surface. key_store_path (str | None): The path to the key store file. Only provided if testing. Nr#clear_encryption_keydecryption_keysT) _key_storer%rVrQrCLEARr#rErZr$)rSrKraw_encryption_keyrXraw_decryption_keyss rinitialize_key_storerbs #D*:NK T)400 9 ? ?J )*< =J !($T+rvs8&'   58H*$;jj=>  dii && :[  2 B 1% (& ( B(* < %r