SrSSKJr SSKJr SSKJr SSKJr SSKrSSKrSSKJ r SSK r SSK r SSK r SSK Jr SS KJr S r\"S 5r"S S \5r"SS\5rSrSrSrSrSrSrSrg)zGHelper functions for dealing with encryption keys used with cloud APIs.)absolute_import)print_function)division)unicode_literalsN)sha256)CommandException) LazyWrapperdc.[R"S5$)Nzqprojects/([^/]+)/locations/([a-zA-Z0-9_-]{1,63})/keyRings/([a-zA-Z0-9_-]{1,63})/cryptoKeys/([a-zA-Z0-9_-]{1,63})$)recompile0platform/gsutil/gslib/utils/encryption_helper.pyr"sBJJ; Returns a CryptoKeyWrapper for crypto_key, or None for no key.N)r)r#s rCryptoKeyWrapperFromKeyr0Xs)3 * %==rc 8[R(a&[U[5(dUR S5n[ UR SSS55nUb:UR[R:XaURU:Xa UR$[[5HsnUS-n[ UR SS[U5-S55nUc gUR[R:XdMUURU:XdMgURs $ g)anSearches boto_config for a CSEK with the given base64-encoded SHA256 hash. Args: key_sha256: (str) Base64-encoded SHA256 hash of the AES256 encryption key. boto_config: (boto.pyami.config.Config) The boto config in which to check for a matching encryption key. Returns: (str) Base64-encoded encryption key string if a match is found, None otherwise. asciiGSUtilencryption_keyNzdecryption_key%s)sixPY3 isinstancebytesencoder0getr%rrr(r#rangeMAX_DECRYPTION_KEYSstr) key_sha256 boto_config keywrapperi key_numbers rFindMatchingCSEKInBotoConfigrD]s WW j% ( ($$W-j&ooh 0$79* 2 22""j0   $ %aQJ("4s:"FMOJ  M$6$6 6  & &* 4  " "" &rcPURSSS5nU(a [U5$S$)aReturns a CryptoKeyWrapper for the configured encryption key. Reads in the value of the "encryption_key" attribute in boto_config, and if present, verifies it is a valid base64-encoded string and returns a CryptoKeyWrapper for it. Args: boto_config: (boto.pyami.config.Config) The boto config in which to check for a matching encryption key. Returns: CryptoKeyWrapper for the specified encryption key, or None if no encryption key was specified in boto_config. r3r4N)r;rr@r4s rGetEncryptionKeyWrapperrGs*??8-=tD.-; . )EErc6[R(a&[U[5(dUR S5n[ R "U5n[U5n[R"U5n[ R"U5nURSS5$)Nr2 r) r6r7r8r9r:base64 b64decode_CalculateSha256FromStringbinascii unhexlify b64encodereplace)csek_encryption_key decoded_bytesr? sha256_bytes sha256_base64s rr'r'svWW )5 1 1/66w?""#67-)-8*##J/,""<0-   uc **rcU(d [S5eURS5(a[SU-5e[5RU5(d[SU-5eg)NzKMS key is empty./z5KMS key should not start with leading slash (/): "%s"zInvalid KMS key name: "%s". KMS keys should follow the format "projects//locations//keyRings//cryptoKeys/")r startswith VALID_CMEK_REmatch)keys rr)r)sk . //^^C ?#E GG   s # #  !#& ' (( $rcX[5nURU5 UR5$)N)rupdate hexdigest) input_string sha256_hashs rrLrLs&+ \"     rcURSSS5nU(a[R"U5 U$U$! [S5e=f)a5Reads the encryption key from boto_config and ensures it is base64-encoded. Args: boto_config: (boto.pyami.config.Config) The boto config in which to check for a matching encryption key. Returns: (str) Base64-encoded encryption key string, or None if no encryption key exists in configuration. r3r4NzConfigured encryption_key is not a valid base64 string. Please double-check your configuration and ensure the key is valid and in base64 format.)r;rJrKrrFs r _GetAndVerifyBase64EncryptionKeyrasS??8-=tD. ~&     s 6 A)r __future__rrrrrJrMhashlibrr sysr6gslib.exceptionrgslib.lazy_wrapperr r=rXobjectrrr0rDrGr'r)rLrarrrrhsN&%'  ,*<= F '$v'$T> !#HF&+ (! r