From 2469a6a32c741f8df4fd31a76dd1b501aa7853ff Mon Sep 17 00:00:00 2001 From: Bu Sun Kim Date: Fri, 29 May 2020 00:02:46 +0000 Subject: [PATCH] Remove KMS samples --- kms/README.rst | 3 + kms/api-client/README.rst | 82 ---- kms/api-client/README.rst.in | 19 - .../create_key_asymmetric_decrypt.py | 54 --- kms/api-client/create_key_asymmetric_sign.py | 54 --- kms/api-client/create_key_hsm.py | 56 --- kms/api-client/create_key_labels.py | 58 --- kms/api-client/create_key_ring.py | 46 -- .../create_key_rotation_schedule.py | 67 --- .../create_key_symmetric_encrypt_decrypt.py | 54 --- kms/api-client/create_key_version.py | 47 -- kms/api-client/decrypt_asymmetric.py | 46 -- kms/api-client/decrypt_symmetric.py | 45 -- kms/api-client/destroy_key_version.py | 45 -- kms/api-client/disable_key_version.py | 55 --- kms/api-client/enable_key_version.py | 55 --- kms/api-client/encrypt_asymmetric.py | 69 --- kms/api-client/encrypt_symmetric.py | 51 --- kms/api-client/get_key_labels.py | 48 -- kms/api-client/get_key_version_attestation.py | 56 --- kms/api-client/get_public_key.py | 45 -- kms/api-client/iam_add_member.py | 56 --- kms/api-client/iam_get_policy.py | 54 --- kms/api-client/iam_remove_member.py | 57 --- kms/api-client/quickstart.py | 49 -- kms/api-client/requirements-test.txt | 1 - kms/api-client/requirements.txt | 2 - kms/api-client/restore_key_version.py | 45 -- kms/api-client/sign_asymmetric.py | 64 --- kms/api-client/snippets_test.py | 423 ------------------ kms/api-client/update_key_add_rotation.py | 62 --- kms/api-client/update_key_remove_labels.py | 54 --- kms/api-client/update_key_remove_rotation.py | 53 --- kms/api-client/update_key_set_primary.py | 45 -- kms/api-client/update_key_update_labels.py | 54 --- kms/api-client/verify_asymmetric_ec.py | 72 --- kms/api-client/verify_asymmetric_rsa.py | 73 --- kms/attestations/README.rst | 74 --- kms/attestations/README.rst.in | 19 - kms/attestations/requirements-test.txt | 1 - kms/attestations/requirements.txt | 2 - kms/attestations/verify_attestation.py | 86 ---- kms/attestations/verify_attestation_test.py | 109 ----- 43 files changed, 3 insertions(+), 2507 deletions(-) create mode 100644 kms/README.rst delete mode 100644 kms/api-client/README.rst delete mode 100644 kms/api-client/README.rst.in delete mode 100644 kms/api-client/create_key_asymmetric_decrypt.py delete mode 100644 kms/api-client/create_key_asymmetric_sign.py delete mode 100644 kms/api-client/create_key_hsm.py delete mode 100644 kms/api-client/create_key_labels.py delete mode 100644 kms/api-client/create_key_ring.py delete mode 100644 kms/api-client/create_key_rotation_schedule.py delete mode 100644 kms/api-client/create_key_symmetric_encrypt_decrypt.py delete mode 100644 kms/api-client/create_key_version.py delete mode 100644 kms/api-client/decrypt_asymmetric.py delete mode 100644 kms/api-client/decrypt_symmetric.py delete mode 100644 kms/api-client/destroy_key_version.py delete mode 100644 kms/api-client/disable_key_version.py delete mode 100644 kms/api-client/enable_key_version.py delete mode 100644 kms/api-client/encrypt_asymmetric.py delete mode 100644 kms/api-client/encrypt_symmetric.py delete mode 100644 kms/api-client/get_key_labels.py delete mode 100644 kms/api-client/get_key_version_attestation.py delete mode 100644 kms/api-client/get_public_key.py delete mode 100644 kms/api-client/iam_add_member.py delete mode 100644 kms/api-client/iam_get_policy.py delete mode 100644 kms/api-client/iam_remove_member.py delete mode 100644 kms/api-client/quickstart.py delete mode 100644 kms/api-client/requirements-test.txt delete mode 100644 kms/api-client/requirements.txt delete mode 100644 kms/api-client/restore_key_version.py delete mode 100644 kms/api-client/sign_asymmetric.py delete mode 100644 kms/api-client/snippets_test.py delete mode 100644 kms/api-client/update_key_add_rotation.py delete mode 100644 kms/api-client/update_key_remove_labels.py delete mode 100644 kms/api-client/update_key_remove_rotation.py delete mode 100644 kms/api-client/update_key_set_primary.py delete mode 100644 kms/api-client/update_key_update_labels.py delete mode 100644 kms/api-client/verify_asymmetric_ec.py delete mode 100644 kms/api-client/verify_asymmetric_rsa.py delete mode 100644 kms/attestations/README.rst delete mode 100644 kms/attestations/README.rst.in delete mode 100644 kms/attestations/requirements-test.txt delete mode 100644 kms/attestations/requirements.txt delete mode 100644 kms/attestations/verify_attestation.py delete mode 100644 kms/attestations/verify_attestation_test.py diff --git a/kms/README.rst b/kms/README.rst new file mode 100644 index 00000000000..fb1e7ecda92 --- /dev/null +++ b/kms/README.rst @@ -0,0 +1,3 @@ +These samples have been moved. + +https://github.com/googleapis/python-kms/tree/master/samples diff --git a/kms/api-client/README.rst b/kms/api-client/README.rst deleted file mode 100644 index 3acb00f5d91..00000000000 --- a/kms/api-client/README.rst +++ /dev/null @@ -1,82 +0,0 @@ -.. This file is automatically generated. Do not edit this file directly. - -Google Cloud KMS API Python Samples -=============================================================================== - -.. image:: https://gstatic.com/cloudssh/images/open-btn.png - :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=kms/api-client/README.rst - - -This directory contains samples for Google Cloud KMS API. The `Google Cloud KMS API`_ is a service that allows you to keep encryption keys centrally in the cloud, for direct use by cloud services. - - - - -.. _Google Cloud KMS API: https://cloud.google.com/kms/docs/ - -Setup -------------------------------------------------------------------------------- - - -Authentication -++++++++++++++ - -This sample requires you to have authentication setup. Refer to the -`Authentication Getting Started Guide`_ for instructions on setting up -credentials for applications. - -.. _Authentication Getting Started Guide: - https://cloud.google.com/docs/authentication/getting-started - -Install Dependencies -++++++++++++++++++++ - -#. Clone python-docs-samples and change directory to the sample directory you want to use. - - .. code-block:: bash - - $ git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git - -#. Install `pip`_ and `virtualenv`_ if you do not already have them. You may want to refer to the `Python Development Environment Setup Guide`_ for Google Cloud Platform for instructions. - - .. _Python Development Environment Setup Guide: - https://cloud.google.com/python/setup - -#. Create a virtualenv. Samples are compatible with Python 2.7 and 3.4+. - - .. code-block:: bash - - $ virtualenv env - $ source env/bin/activate - -#. Install the dependencies needed to run the samples. - - .. code-block:: bash - - $ pip install -r requirements.txt - -.. _pip: https://pip.pypa.io/ -.. _virtualenv: https://virtualenv.pypa.io/ - -Samples -------------------------------------------------------------------------------- - -Quickstart -+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - -.. image:: https://gstatic.com/cloudssh/images/open-btn.png - :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=kms/api-client/quickstart.py,kms/api-client/README.rst - - - - -To run this sample: - -.. code-block:: bash - - $ python quickstart.py - - - - -.. _Google Cloud SDK: https://cloud.google.com/sdk/ \ No newline at end of file diff --git a/kms/api-client/README.rst.in b/kms/api-client/README.rst.in deleted file mode 100644 index cfd81fc800b..00000000000 --- a/kms/api-client/README.rst.in +++ /dev/null @@ -1,19 +0,0 @@ -# This file is used to generate README.rst - -product: - name: Google Cloud KMS API - short_name: Cloud KMS API - url: https://cloud.google.com/kms/docs/ - description: > - The `Google Cloud KMS API`_ is a service that allows you to keep encryption - keys centrally in the cloud, for direct use by cloud services. - -setup: -- auth -- install_deps - -samples: -- name: Quickstart - file: quickstart.py - -folder: kms/api-client diff --git a/kms/api-client/create_key_asymmetric_decrypt.py b/kms/api-client/create_key_asymmetric_decrypt.py deleted file mode 100644 index cac157958eb..00000000000 --- a/kms/api-client/create_key_asymmetric_decrypt.py +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_create_key_asymmetric_decrypt] -def create_key_asymmetric_decrypt(project_id, location_id, key_ring_id, id): - """ - Creates a new asymmetric decryption key in Cloud KMS. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - id (string): ID of the key to create (e.g. 'my-asymmetric-decrypt-key'). - - Returns: - CryptoKey: Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the parent key ring name. - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - - # Build the key. - purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT - algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256 - key = { - 'purpose': purpose, - 'version_template': { - 'algorithm': algorithm, - } - } - - # Call the API. - created_key = client.create_crypto_key(key_ring_name, id, key) - print('Created asymmetric decrypt key: {}'.format(created_key.name)) - return created_key -# [END kms_create_key_asymmetric_decrypt] diff --git a/kms/api-client/create_key_asymmetric_sign.py b/kms/api-client/create_key_asymmetric_sign.py deleted file mode 100644 index 9bf18a7a996..00000000000 --- a/kms/api-client/create_key_asymmetric_sign.py +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_create_key_asymmetric_sign] -def create_key_asymmetric_sign(project_id, location_id, key_ring_id, id): - """ - Creates a new asymmetric signing key in Cloud KMS. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - id (string): ID of the key to create (e.g. 'my-asymmetric-signing-key'). - - Returns: - CryptoKey: Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the parent key ring name. - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - - # Build the key. - purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN - algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256 - key = { - 'purpose': purpose, - 'version_template': { - 'algorithm': algorithm, - } - } - - # Call the API. - created_key = client.create_crypto_key(key_ring_name, id, key) - print('Created asymmetric signing key: {}'.format(created_key.name)) - return created_key -# [END kms_create_key_asymmetric_sign] diff --git a/kms/api-client/create_key_hsm.py b/kms/api-client/create_key_hsm.py deleted file mode 100644 index 84ba37e5d00..00000000000 --- a/kms/api-client/create_key_hsm.py +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_create_key_hsm] -def create_key_hsm(project_id, location_id, key_ring_id, id): - """ - Creates a new key in Cloud KMS backed by Cloud HSM. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - id (string): ID of the key to create (e.g. 'my-hsm-key'). - - Returns: - CryptoKey: Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the parent key ring name. - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - - # Build the key. - purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT - algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - protection_level = kms.enums.ProtectionLevel.HSM - key = { - 'purpose': purpose, - 'version_template': { - 'algorithm': algorithm, - 'protection_level': protection_level - } - } - - # Call the API. - created_key = client.create_crypto_key(key_ring_name, id, key) - print('Created hsm key: {}'.format(created_key.name)) - return created_key -# [END kms_create_key_hsm] diff --git a/kms/api-client/create_key_labels.py b/kms/api-client/create_key_labels.py deleted file mode 100644 index e64a10cb955..00000000000 --- a/kms/api-client/create_key_labels.py +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_create_key_labels] -def create_key_labels(project_id, location_id, key_ring_id, id): - """ - Creates a new key in Cloud KMS with labels. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - id (string): ID of the key to create (e.g. 'my-labeled-key'). - - Returns: - CryptoKey: Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the parent key ring name. - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - - # Build the key. - purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT - algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - key = { - 'purpose': purpose, - 'version_template': { - 'algorithm': algorithm, - }, - 'labels': { - 'team': 'alpha', - 'cost_center': 'cc1234' - } - } - - # Call the API. - created_key = client.create_crypto_key(key_ring_name, id, key) - print('Created labeled key: {}'.format(created_key.name)) - return created_key -# [END kms_create_key_labels] diff --git a/kms/api-client/create_key_ring.py b/kms/api-client/create_key_ring.py deleted file mode 100644 index c01e8490516..00000000000 --- a/kms/api-client/create_key_ring.py +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_create_key_ring] -def create_key_ring(project_id, location_id, id): - """ - Creates a new key ring in Cloud KMS - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - id (string): ID of the key ring to create (e.g. 'my-key-ring'). - - Returns: - KeyRing: Cloud KMS key ring. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the parent location name. - location_name = client.location_path(project_id, location_id) - - # Build the key ring. - key_ring = {} - - # Call the API. - created_key_ring = client.create_key_ring(location_name, id, key_ring) - print('Created key ring: {}'.format(created_key_ring.name)) - return created_key_ring -# [END kms_create_key_ring] diff --git a/kms/api-client/create_key_rotation_schedule.py b/kms/api-client/create_key_rotation_schedule.py deleted file mode 100644 index e6bbdb62d36..00000000000 --- a/kms/api-client/create_key_rotation_schedule.py +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_create_key_rotation_schedule] -def create_key_rotation_schedule(project_id, location_id, key_ring_id, id): - """ - Creates a new key in Cloud KMS that automatically rotates. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - id (string): ID of the key to create (e.g. 'my-rotating-key'). - - Returns: - CryptoKey: Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Import time for getting the current time. - import time - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the parent key ring name. - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - - # Build the key. - purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT - algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - key = { - 'purpose': purpose, - 'version_template': { - 'algorithm': algorithm, - }, - - # Rotate the key every 30 days. - 'rotation_period': { - 'seconds': 60*60*24*30 - }, - - # Start the first rotation in 24 hours. - 'next_rotation_time': { - 'seconds': int(time.time()) + 60*60*24 - } - } - - # Call the API. - created_key = client.create_crypto_key(key_ring_name, id, key) - print('Created labeled key: {}'.format(created_key.name)) - return created_key -# [END kms_create_key_rotation_schedule] diff --git a/kms/api-client/create_key_symmetric_encrypt_decrypt.py b/kms/api-client/create_key_symmetric_encrypt_decrypt.py deleted file mode 100644 index 54b9c5f4098..00000000000 --- a/kms/api-client/create_key_symmetric_encrypt_decrypt.py +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_create_key_symmetric_encrypt_decrypt] -def create_key_symmetric_encrypt_decrypt(project_id, location_id, key_ring_id, id): - """ - Creates a new symmetric encryption/decryption key in Cloud KMS. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - id (string): ID of the key to create (e.g. 'my-symmetric-key'). - - Returns: - CryptoKey: Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the parent key ring name. - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - - # Build the key. - purpose = kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT - algorithm = kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - key = { - 'purpose': purpose, - 'version_template': { - 'algorithm': algorithm, - } - } - - # Call the API. - created_key = client.create_crypto_key(key_ring_name, id, key) - print('Created symmetric key: {}'.format(created_key.name)) - return created_key -# [END kms_create_key_symmetric_encrypt_decrypt] diff --git a/kms/api-client/create_key_version.py b/kms/api-client/create_key_version.py deleted file mode 100644 index 9c84f808a94..00000000000 --- a/kms/api-client/create_key_version.py +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_create_key_version] -def create_key_version(project_id, location_id, key_ring_id, key_id): - """ - Creates a new version of the given key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key for which to create a new version (e.g. 'my-key'). - - Returns: - CryptoKeyVersion: Cloud KMS key version. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the parent key name. - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # Build the key version. - version = {} - - # Call the API. - created_version = client.create_crypto_key_version(key_name, version) - print('Created key version: {}'.format(created_version.name)) - return created_version -# [END kms_create_key_version] diff --git a/kms/api-client/decrypt_asymmetric.py b/kms/api-client/decrypt_asymmetric.py deleted file mode 100644 index 7b040cdd420..00000000000 --- a/kms/api-client/decrypt_asymmetric.py +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_decrypt_asymmetric] -def decrypt_asymmetric(project_id, location_id, key_ring_id, key_id, version_id, ciphertext): - """ - Decrypt the ciphertext using an asymmetric key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the key version to use (e.g. '1'). - ciphertext (bytes): Encrypted bytes to decrypt. - - Returns: - DecryptResponse: Response including plaintext. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Call the API. - decrypt_response = client.asymmetric_decrypt(key_version_name, ciphertext) - print('Plaintext: {}'.format(decrypt_response.plaintext)) - return decrypt_response -# [END kms_decrypt_asymmetric] diff --git a/kms/api-client/decrypt_symmetric.py b/kms/api-client/decrypt_symmetric.py deleted file mode 100644 index a5cbe714279..00000000000 --- a/kms/api-client/decrypt_symmetric.py +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_decrypt_symmetric] -def decrypt_symmetric(project_id, location_id, key_ring_id, key_id, ciphertext): - """ - Decrypt the ciphertext using the symmetric key - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - ciphertext (bytes): Encrypted bytes to decrypt. - - Returns: - DecryptResponse: Response including plaintext. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key name. - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # Call the API. - decrypt_response = client.decrypt(key_name, ciphertext) - print('Plaintext: {}'.format(decrypt_response.plaintext)) - return decrypt_response -# [END kms_decrypt_symmetric] diff --git a/kms/api-client/destroy_key_version.py b/kms/api-client/destroy_key_version.py deleted file mode 100644 index 7423ca7e099..00000000000 --- a/kms/api-client/destroy_key_version.py +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_destroy_key_version] -def destroy_key_version(project_id, location_id, key_ring_id, key_id, version_id): - """ - Schedule destruction of the given key version. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the key version to destroy (e.g. '1'). - - Returns: - CryptoKeyVersion: The version. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Call the API. - destroyed_version = client.destroy_crypto_key_version(key_version_name) - print('Destroyed key version: {}'.format(destroyed_version.name)) - return destroyed_version -# [END kms_destroy_key_version] diff --git a/kms/api-client/disable_key_version.py b/kms/api-client/disable_key_version.py deleted file mode 100644 index a4a16dd57a6..00000000000 --- a/kms/api-client/disable_key_version.py +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_disable_key_version] -def disable_key_version(project_id, location_id, key_ring_id, key_id, version_id): - """ - Disable a key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the key version to disable (e.g. '1'). - - Returns: - CryptoKeyVersion: The version. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Build the key version. We need to build a full proto instead of a dict due - # to https://github.com/googleapis/gapic-generator-python/issues/364. - from google.cloud.kms_v1.proto import resources_pb2 - key_version = resources_pb2.CryptoKeyVersion() - key_version.name = key_version_name - key_version.state = kms.enums.CryptoKeyVersion.CryptoKeyVersionState.DISABLED - - # Build the update mask. - update_mask = {'paths': ['state']} - - # Call the API. - disabled_version = client.update_crypto_key_version(key_version, update_mask) - print('Disabled key version: {}'.format(disabled_version.name)) - return disabled_version -# [END kms_disable_key_version] diff --git a/kms/api-client/enable_key_version.py b/kms/api-client/enable_key_version.py deleted file mode 100644 index 9cb8daadd66..00000000000 --- a/kms/api-client/enable_key_version.py +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_enable_key_version] -def enable_key_version(project_id, location_id, key_ring_id, key_id, version_id): - """ - Enable a key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the key version to enable (e.g. '1'). - - Returns: - CryptoKeyVersion: The version. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Build the key version. We need to build a full proto instead of a dict due - # to https://github.com/googleapis/gapic-generator-python/issues/364. - from google.cloud.kms_v1.proto import resources_pb2 - key_version = resources_pb2.CryptoKeyVersion() - key_version.name = key_version_name - key_version.state = kms.enums.CryptoKeyVersion.CryptoKeyVersionState.ENABLED - - # Build the update mask. - update_mask = {'paths': ['state']} - - # Call the API. - enabled_version = client.update_crypto_key_version(key_version, update_mask) - print('Enabled key version: {}'.format(enabled_version.name)) - return enabled_version -# [END kms_enable_key_version] diff --git a/kms/api-client/encrypt_asymmetric.py b/kms/api-client/encrypt_asymmetric.py deleted file mode 100644 index efe40322c42..00000000000 --- a/kms/api-client/encrypt_asymmetric.py +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_encrypt_asymmetric] -def encrypt_asymmetric(project_id, location_id, key_ring_id, key_id, version_id, plaintext): - """ - Encrypt plaintext using the public key portion of an asymmetric key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the key version to use (e.g. '1'). - plaintext (string): message to encrypt - - Returns: - bytes: Encrypted ciphertext. - - """ - - # Import the client library. - from google.cloud import kms - - # Import base64 for printing the ciphertext. - import base64 - - # Import cryptographic helpers from the cryptography package. - from cryptography.hazmat.backends import default_backend - from cryptography.hazmat.primitives import hashes, serialization - from cryptography.hazmat.primitives.asymmetric import padding - - # Convert the plaintext to bytes. - plaintext_bytes = plaintext.encode('utf-8') - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Get the public key. - public_key = client.get_public_key(key_version_name) - - # Extract and parse the public key as a PEM-encoded RSA key. - pem = public_key.pem.encode('utf-8') - rsa_key = serialization.load_pem_public_key(pem, default_backend()) - - # Construct the padding. Note that the padding differs based on key choice. - sha256 = hashes.SHA256() - mgf = padding.MGF1(algorithm=sha256) - pad = padding.OAEP(mgf=mgf, algorithm=sha256, label=None) - - # Encrypt the data using the public key. - ciphertext = rsa_key.encrypt(plaintext_bytes, pad) - print('Ciphertext: {}'.format(base64.b64encode(ciphertext))) - return ciphertext -# [END kms_encrypt_asymmetric] diff --git a/kms/api-client/encrypt_symmetric.py b/kms/api-client/encrypt_symmetric.py deleted file mode 100644 index b90da358f67..00000000000 --- a/kms/api-client/encrypt_symmetric.py +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_encrypt_symmetric] -def encrypt_symmetric(project_id, location_id, key_ring_id, key_id, plaintext): - """ - Encrypt plaintext using a symmetric key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - plaintext (string): message to encrypt - - Returns: - bytes: Encrypted ciphertext. - - """ - - # Import the client library. - from google.cloud import kms - - # Import base64 for printing the ciphertext. - import base64 - - # Convert the plaintext to bytes. - plaintext_bytes = plaintext.encode('utf-8') - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key name. - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # Call the API. - encrypt_response = client.encrypt(key_name, plaintext_bytes) - print('Ciphertext: {}'.format(base64.b64encode(encrypt_response.ciphertext))) - return encrypt_response -# [END kms_encrypt_symmetric] diff --git a/kms/api-client/get_key_labels.py b/kms/api-client/get_key_labels.py deleted file mode 100644 index 363bcfbaf03..00000000000 --- a/kms/api-client/get_key_labels.py +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_get_key_labels] -def get_key_labels(project_id, location_id, key_ring_id, key_id): - """ - Get a key and its labels. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - - Returns: - CryptoKey: Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key name. - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # Call the API. - key = client.get_crypto_key(key_name) - - # Example of iterating over labels. - for k, v in key.labels.items(): - print('{} = {}'.format(k, v)) - - return key -# [END kms_get_key_labels] diff --git a/kms/api-client/get_key_version_attestation.py b/kms/api-client/get_key_version_attestation.py deleted file mode 100644 index 615d4653d8e..00000000000 --- a/kms/api-client/get_key_version_attestation.py +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_get_key_version_attestation] -def get_key_version_attestation(project_id, location_id, key_ring_id, key_id, version_id): - """ - Get an HSM-backend key's attestation. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the version to use (e.g. '1'). - - Returns: - Attestation: Cloud KMS key attestation. - - """ - - # Import the client library. - from google.cloud import kms - - # Import base64 for printing the attestation. - import base64 - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Call the API. - version = client.get_crypto_key_version(key_version_name) - - # Only HSM keys have an attestation. For other key types, the attestion - # will be None. - attestation = version.attestation - if not attestation: - raise 'no attestation - attestations only exist on HSM keys' - - encoded_attestation = base64.b64encode(attestation.content) - print('Got key attestation: {}'.format(encoded_attestation)) - return attestation -# [END kms_get_key_version_attestation] diff --git a/kms/api-client/get_public_key.py b/kms/api-client/get_public_key.py deleted file mode 100644 index 1b810d15f6a..00000000000 --- a/kms/api-client/get_public_key.py +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_get_public_key] -def get_public_key(project_id, location_id, key_ring_id, key_id, version_id): - """ - Get the public key for an asymmetric key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the key to use (e.g. '1'). - - Returns: - PublicKey: Cloud KMS public key response. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Call the API. - public_key = client.get_public_key(key_version_name) - print('Public key: {}'.format(public_key.pem)) - return public_key -# [END kms_get_public_key] diff --git a/kms/api-client/iam_add_member.py b/kms/api-client/iam_add_member.py deleted file mode 100644 index 442f248390d..00000000000 --- a/kms/api-client/iam_add_member.py +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_iam_add_member] -def iam_add_member(project_id, location_id, key_ring_id, key_id, member): - """ - Add an IAM member to a resource. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - member (string): Member to add (e.g. 'user:foo@example.com') - - Returns: - Policy: Updated Cloud IAM policy. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the resource name. - resource_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # The resource name could also be a key ring. - # resource_name = client.key_ring_path(project_id, location_id, key_ring_id); - - # Get the current policy. - policy = client.get_iam_policy(resource_name) - - # Add the member to the policy. - policy.bindings.add( - role='roles/cloudkms.cryptoKeyEncrypterDecrypter', - members=[member]) - - # Save the updated IAM policy. - updated_policy = client.set_iam_policy(resource_name, policy) - print('Added {} to {}'.format(member, resource_name)) - return updated_policy -# [END kms_iam_add_member] diff --git a/kms/api-client/iam_get_policy.py b/kms/api-client/iam_get_policy.py deleted file mode 100644 index c00172e98a5..00000000000 --- a/kms/api-client/iam_get_policy.py +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_iam_get_policy] -def iam_get_policy(project_id, location_id, key_ring_id, key_id): - """ - Get the IAM policy for a resource. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - - Returns: - Policy: Cloud IAM policy. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the resource name. - resource_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # The resource name could also be a key ring. - # resource_name = client.key_ring_path(project_id, location_id, key_ring_id); - - # Get the current policy. - policy = client.get_iam_policy(resource_name) - - # Print the policy - print('IAM policy for {}'.format(resource_name)) - for binding in policy.bindings: - print(binding.role) - for member in binding.members: - print('- {}'.format(member)) - - return policy -# [END kms_iam_get_policy] diff --git a/kms/api-client/iam_remove_member.py b/kms/api-client/iam_remove_member.py deleted file mode 100644 index ad73fab943c..00000000000 --- a/kms/api-client/iam_remove_member.py +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_iam_remove_member] -def iam_remove_member(project_id, location_id, key_ring_id, key_id, member): - """ - Remove an IAM member from a resource. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - member (string): Member to remove (e.g. 'user:foo@example.com') - - Returns: - Policy: Updated Cloud IAM policy. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the resource name. - resource_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # The resource name could also be a key ring. - # resource_name = client.key_ring_path(project_id, location_id, key_ring_id); - - # Get the current policy. - policy = client.get_iam_policy(resource_name) - - # Remove the member from the policy. - for binding in policy.bindings: - if binding.role == 'roles/cloudkms.cryptoKeyEncrypterDecrypter': - if member in binding.members: - binding.members.remove(member) - - # Save the updated IAM policy. - updated_policy = client.set_iam_policy(resource_name, policy) - print('Removed {} from {}'.format(member, resource_name)) - return updated_policy -# [END kms_iam_remove_member] diff --git a/kms/api-client/quickstart.py b/kms/api-client/quickstart.py deleted file mode 100644 index 91b5a49ad41..00000000000 --- a/kms/api-client/quickstart.py +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2017 Google, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - -import argparse - - -# [START kms_quickstart] -def quickstart(project_id, location_id): - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the parent location name. - location_name = client.location_path(project_id, location_id) - - # Call the API. - key_rings = client.list_key_rings(location_name) - - # Example of iterating over key rings. - for key_ring in key_rings: - print(key_ring.name) - - return key_rings -# [END kms_quickstart] - - -if __name__ == '__main__': - parser = argparse.ArgumentParser( - description=__doc__, - formatter_class=argparse.RawDescriptionHelpFormatter) - parser.add_argument('project_id', help='id of the GCP project') - parser.add_argument('location_id', help='id of the KMS location') - args = parser.parse_args() - - quickstart(args.project_id, args.location_id) diff --git a/kms/api-client/requirements-test.txt b/kms/api-client/requirements-test.txt deleted file mode 100644 index d3e30fa6c73..00000000000 --- a/kms/api-client/requirements-test.txt +++ /dev/null @@ -1 +0,0 @@ -pytest==5.4.1 diff --git a/kms/api-client/requirements.txt b/kms/api-client/requirements.txt deleted file mode 100644 index 6e2cc2a4558..00000000000 --- a/kms/api-client/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -google-cloud-kms==1.4.0 -cryptography==2.9.2 diff --git a/kms/api-client/restore_key_version.py b/kms/api-client/restore_key_version.py deleted file mode 100644 index 3c4668d6bed..00000000000 --- a/kms/api-client/restore_key_version.py +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_restore_key_version] -def restore_key_version(project_id, location_id, key_ring_id, key_id, version_id): - """ - Restore a key version scheduled for destruction. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the version to use (e.g. '1'). - - Returns: - CryptoKeyVersion: Restored Cloud KMS key version. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Call the API. - restored_version = client.restore_crypto_key_version(key_version_name) - print('Restored key version: {}'.format(restored_version.name)) - return restored_version -# [END kms_restore_key_version] diff --git a/kms/api-client/sign_asymmetric.py b/kms/api-client/sign_asymmetric.py deleted file mode 100644 index a92a13ec20e..00000000000 --- a/kms/api-client/sign_asymmetric.py +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_sign_asymmetric] -def sign_asymmetric(project_id, location_id, key_ring_id, key_id, version_id, message): - """ - Sign a message using the public key part of an asymmetric key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): Version to use (e.g. '1'). - message (string): Message to sign. - - Returns: - AsymmetricSignResponse: Signature. - - """ - - # Import the client library. - from google.cloud import kms - - # Import base64 for printing the ciphertext. - import base64 - - # Import hashlib for calculating hashes. - import hashlib - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Convert the message to bytes. - message_bytes = message.encode('utf-8') - - # Calculate the hash. - hash_ = hashlib.sha256(message_bytes).digest() - - # Build the digest. - # - # Note: Key algorithms will require a varying hash function. For - # example, EC_SIGN_P384_SHA384 requires SHA-384. - digest = {'sha256': hash_} - - # Call the API - sign_response = client.asymmetric_sign(key_version_name, digest) - print('Signature: {}'.format(base64.b64encode(sign_response.signature))) - return sign_response -# [END kms_sign_asymmetric] diff --git a/kms/api-client/snippets_test.py b/kms/api-client/snippets_test.py deleted file mode 100644 index e7705cc9908..00000000000 --- a/kms/api-client/snippets_test.py +++ /dev/null @@ -1,423 +0,0 @@ -# Copyright 2017 Google, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - -import hashlib -import os -import time -import uuid - -from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import hashes, serialization -from cryptography.hazmat.primitives.asymmetric import padding, utils -from google.cloud import kms -from google.cloud.kms_v1.proto import resources_pb2 -import pytest - -from create_key_asymmetric_decrypt import create_key_asymmetric_decrypt -from create_key_asymmetric_sign import create_key_asymmetric_sign -from create_key_hsm import create_key_hsm -from create_key_labels import create_key_labels -from create_key_ring import create_key_ring -from create_key_rotation_schedule import create_key_rotation_schedule -from create_key_symmetric_encrypt_decrypt import create_key_symmetric_encrypt_decrypt -from create_key_version import create_key_version -from decrypt_asymmetric import decrypt_asymmetric -from decrypt_symmetric import decrypt_symmetric -from destroy_key_version import destroy_key_version -from disable_key_version import disable_key_version -from enable_key_version import enable_key_version -from encrypt_asymmetric import encrypt_asymmetric -from encrypt_symmetric import encrypt_symmetric -from get_key_labels import get_key_labels -from get_key_version_attestation import get_key_version_attestation -from get_public_key import get_public_key -from iam_add_member import iam_add_member -from iam_get_policy import iam_get_policy -from iam_remove_member import iam_remove_member -from quickstart import quickstart -from restore_key_version import restore_key_version -from sign_asymmetric import sign_asymmetric -from update_key_add_rotation import update_key_add_rotation -from update_key_remove_labels import update_key_remove_labels -from update_key_remove_rotation import update_key_remove_rotation -from update_key_set_primary import update_key_set_primary -from update_key_update_labels import update_key_update_labels -from verify_asymmetric_ec import verify_asymmetric_ec -from verify_asymmetric_rsa import verify_asymmetric_rsa - - -@pytest.fixture(scope="module") -def client(): - return kms.KeyManagementServiceClient() - - -@pytest.fixture(scope="module") -def project_id(): - return os.environ['GOOGLE_CLOUD_PROJECT'] - - -@pytest.fixture(scope="module") -def location_id(): - return "us-east1" - - -@pytest.fixture(scope="module") -def key_ring_id(client, project_id, location_id): - location_name = client.location_path(project_id, location_id) - key_ring_id = '{}'.format(uuid.uuid4()) - key_ring = client.create_key_ring(location_name, key_ring_id, {}) - - yield key_ring_id - - for key in client.list_crypto_keys(key_ring.name): - if key.rotation_period.seconds > 0 or key.next_rotation_time.seconds > 0: - # https://github.com/googleapis/gapic-generator-python/issues/364 - updated_key = resources_pb2.CryptoKey() - updated_key.name = key.name - update_mask = {'paths': ['rotation_period', 'next_rotation_time']} - client.update_crypto_key(updated_key, update_mask) - - f = 'state != DESTROYED AND state != DESTROY_SCHEDULED' - for version in client.list_crypto_key_versions(key.name, filter_=f): - client.destroy_crypto_key_version(version.name) - - -@pytest.fixture(scope="module") -def asymmetric_decrypt_key_id(client, project_id, location_id, key_ring_id): - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - key_id = '{}'.format(uuid.uuid4()) - key = client.create_crypto_key(key_ring_name, key_id, { - 'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT, - 'version_template': { - 'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256 - }, - 'labels': {'foo': 'bar', 'zip': 'zap'} - }) - wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name)) - return key_id - - -@pytest.fixture(scope="module") -def asymmetric_sign_ec_key_id(client, project_id, location_id, key_ring_id): - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - key_id = '{}'.format(uuid.uuid4()) - key = client.create_crypto_key(key_ring_name, key_id, { - 'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN, - 'version_template': { - 'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.EC_SIGN_P256_SHA256 - }, - 'labels': {'foo': 'bar', 'zip': 'zap'} - }) - wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name)) - return key_id - - -@pytest.fixture(scope="module") -def asymmetric_sign_rsa_key_id(client, project_id, location_id, key_ring_id): - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - key_id = '{}'.format(uuid.uuid4()) - key = client.create_crypto_key(key_ring_name, key_id, { - 'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN, - 'version_template': { - 'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256 - }, - 'labels': {'foo': 'bar', 'zip': 'zap'} - }) - wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name)) - return key_id - - -@pytest.fixture(scope="module") -def hsm_key_id(client, project_id, location_id, key_ring_id): - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - key_id = '{}'.format(uuid.uuid4()) - key = client.create_crypto_key(key_ring_name, key_id, { - 'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, - 'version_template': { - 'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, - 'protection_level': kms.enums.ProtectionLevel.HSM - }, - 'labels': {'foo': 'bar', 'zip': 'zap'} - }) - wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name)) - return key_id - - -@pytest.fixture(scope="module") -def symmetric_key_id(client, project_id, location_id, key_ring_id): - key_ring_name = client.key_ring_path(project_id, location_id, key_ring_id) - key_id = '{}'.format(uuid.uuid4()) - key = client.create_crypto_key(key_ring_name, key_id, { - 'purpose': kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, - 'version_template': { - 'algorithm': kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - }, - 'labels': {'foo': 'bar', 'zip': 'zap'} - }) - wait_for_ready(client, '{}/cryptoKeyVersions/1'.format(key.name)) - return key_id - - -def wait_for_ready(client, key_version_name): - for i in range(5): - key_version = client.get_crypto_key_version(key_version_name) - if key_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.ENABLED: - return - time.sleep(0.1*(i**2)) - pytest.fail('{} not ready'.format(key_version_name)) - - -def test_create_key_asymmetric_decrypt(project_id, location_id, key_ring_id): - key_id = '{}'.format(uuid.uuid4()) - key = create_key_asymmetric_decrypt(project_id, location_id, key_ring_id, key_id) - assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT - assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_DECRYPT_OAEP_2048_SHA256 - - -def test_create_key_asymmetric_sign(project_id, location_id, key_ring_id): - key_id = '{}'.format(uuid.uuid4()) - key = create_key_asymmetric_sign(project_id, location_id, key_ring_id, key_id) - assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN - assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PKCS1_2048_SHA256 - - -def test_create_key_hsm(project_id, location_id, key_ring_id): - key_id = '{}'.format(uuid.uuid4()) - key = create_key_hsm(project_id, location_id, key_ring_id, key_id) - assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT - assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - assert key.version_template.protection_level == kms.enums.ProtectionLevel.HSM - - -def test_create_key_labels(project_id, location_id, key_ring_id): - key_id = '{}'.format(uuid.uuid4()) - key = create_key_labels(project_id, location_id, key_ring_id, key_id) - assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT - assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - assert key.labels == {'team': 'alpha', 'cost_center': 'cc1234'} - - -def test_create_key_ring(project_id, location_id): - key_ring_id = '{}'.format(uuid.uuid4()) - key_ring = create_key_ring(project_id, location_id, key_ring_id) - assert key_ring - - -def test_create_key_rotation_schedule(project_id, location_id, key_ring_id): - key_id = '{}'.format(uuid.uuid4()) - key = create_key_rotation_schedule(project_id, location_id, key_ring_id, key_id) - assert key.rotation_period.seconds == 60*60*24*30 - assert key.next_rotation_time.seconds > 0 - - -def test_create_key_symmetric_encrypt_decrypt(project_id, location_id, key_ring_id): - key_id = '{}'.format(uuid.uuid4()) - key = create_key_symmetric_encrypt_decrypt(project_id, location_id, key_ring_id, key_id) - assert key.purpose == kms.enums.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT - assert key.version_template.algorithm == kms.enums.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - - -def test_create_key_version(project_id, location_id, key_ring_id, symmetric_key_id): - version = create_key_version(project_id, location_id, key_ring_id, symmetric_key_id) - assert version - - -def test_decrypt_asymmetric(client, project_id, location_id, key_ring_id, asymmetric_decrypt_key_id): - message = 'my message'.encode('utf-8') - - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, '1') - public_key = client.get_public_key(key_version_name) - - pem = public_key.pem.encode('utf-8') - rsa_key = serialization.load_pem_public_key(pem, default_backend()) - - pad = padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), - algorithm=hashes.SHA256(), - label=None) - ciphertext = rsa_key.encrypt(message, pad) - - response = decrypt_asymmetric(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, '1', ciphertext) - assert response.plaintext == message - - -def test_decrypt_symmetric(client, project_id, location_id, key_ring_id, symmetric_key_id): - plaintext = 'my message'.encode('utf-8') - - key_version_name = client.crypto_key_path(project_id, location_id, key_ring_id, symmetric_key_id) - encrypt_response = client.encrypt(key_version_name, plaintext) - ciphertext = encrypt_response.ciphertext - - decrypt_response = decrypt_symmetric(project_id, location_id, key_ring_id, symmetric_key_id, ciphertext) - assert decrypt_response.plaintext == plaintext - - -def test_destroy_restore_key_version(client, project_id, location_id, key_ring_id, asymmetric_decrypt_key_id): - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id) - version = client.create_crypto_key_version(key_name, {}) - version_id = version.name.split('/')[-1] - - wait_for_ready(client, version.name) - - destroyed_version = destroy_key_version(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, version_id) - assert destroyed_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED - - restored_version = restore_key_version(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, version_id) - assert restored_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.DISABLED - - -def test_disable_enable_key_version(client, project_id, location_id, key_ring_id, asymmetric_decrypt_key_id): - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id) - version = client.create_crypto_key_version(key_name, {}) - version_id = version.name.split('/')[-1] - - wait_for_ready(client, version.name) - - disabled_version = disable_key_version(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, version_id) - assert disabled_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.DISABLED - - enabled_version = enable_key_version(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, version_id) - assert enabled_version.state == kms.enums.CryptoKeyVersion.CryptoKeyVersionState.ENABLED - - -def test_encrypt_asymmetric(client, project_id, location_id, key_ring_id, asymmetric_decrypt_key_id): - plaintext = 'my message' - ciphertext = encrypt_asymmetric(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, '1', plaintext) - - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, '1') - response = client.asymmetric_decrypt(key_version_name, ciphertext) - assert response.plaintext == plaintext.encode('utf-8') - - -def test_encrypt_symmetric(client, project_id, location_id, key_ring_id, symmetric_key_id): - plaintext = 'my message' - encrypt_response = encrypt_symmetric(project_id, location_id, key_ring_id, symmetric_key_id, plaintext) - - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, symmetric_key_id) - decrypt_response = client.decrypt(key_name, encrypt_response.ciphertext) - assert decrypt_response.plaintext == plaintext.encode('utf-8') - - -def test_get_key_labels(project_id, location_id, key_ring_id, symmetric_key_id): - key = get_key_labels(project_id, location_id, key_ring_id, symmetric_key_id) - assert key.labels == {'foo': 'bar', 'zip': 'zap'} - - -def test_get_key_version_attestation(project_id, location_id, key_ring_id, hsm_key_id): - attestation = get_key_version_attestation(project_id, location_id, key_ring_id, hsm_key_id, '1') - assert attestation.format - assert attestation.content - - -def test_get_public_key(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id): - public_key = get_public_key(project_id, location_id, key_ring_id, asymmetric_decrypt_key_id, '1') - assert public_key.pem - - -def test_iam_add_member(project_id, location_id, key_ring_id, symmetric_key_id): - member = 'group:test@google.com' - policy = iam_add_member(project_id, location_id, key_ring_id, symmetric_key_id, member) - assert any(member in b.members for b in policy.bindings) - - -def test_iam_get_policy(project_id, location_id, key_ring_id, symmetric_key_id): - policy = iam_get_policy(project_id, location_id, key_ring_id, symmetric_key_id) - assert policy - - -def test_iam_remove_member(client, project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id): - resource_name = client.crypto_key_path(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id) - - policy = client.get_iam_policy(resource_name) - policy.bindings.add( - role='roles/cloudkms.cryptoKeyEncrypterDecrypter', - members=['group:test@google.com', 'group:tester@google.com']) - client.set_iam_policy(resource_name, policy) - - policy = iam_remove_member(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id, 'group:test@google.com') - assert not any('group:test@google.com' in b.members for b in policy.bindings) - assert any('group:tester@google.com' in b.members for b in policy.bindings) - - -def test_sign_asymmetric(client, project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id): - message = 'my message' - - sign_response = sign_asymmetric(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id, '1', message) - assert sign_response.signature - - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id, '1') - public_key = client.get_public_key(key_version_name) - pem = public_key.pem.encode('utf-8') - rsa_key = serialization.load_pem_public_key(pem, default_backend()) - hash_ = hashlib.sha256(message.encode('utf-8')).digest() - - try: - sha256 = hashes.SHA256() - pad = padding.PKCS1v15() - rsa_key.verify(sign_response.signature, hash_, pad, utils.Prehashed(sha256)) - except InvalidSignature: - pytest.fail('invalid signature') - - -def test_update_key_add_rotation(project_id, location_id, key_ring_id, symmetric_key_id): - key = update_key_add_rotation(project_id, location_id, key_ring_id, symmetric_key_id) - assert key.rotation_period.seconds == 60*60*24*30 - assert key.next_rotation_time.seconds > 0 - - -def test_update_key_remove_labels(project_id, location_id, key_ring_id, symmetric_key_id): - key = update_key_remove_labels(project_id, location_id, key_ring_id, symmetric_key_id) - assert key.labels == {} - - -def test_update_key_remove_rotation(project_id, location_id, key_ring_id, symmetric_key_id): - key = update_key_remove_rotation(project_id, location_id, key_ring_id, symmetric_key_id) - assert key.rotation_period.seconds == 0 - assert key.next_rotation_time.seconds == 0 - - -def test_update_key_set_primary(project_id, location_id, key_ring_id, symmetric_key_id): - key = update_key_set_primary(project_id, location_id, key_ring_id, symmetric_key_id, '1') - assert '1' in key.primary.name - - -def test_update_key_update_labels(project_id, location_id, key_ring_id, symmetric_key_id): - key = update_key_update_labels(project_id, location_id, key_ring_id, symmetric_key_id) - assert key.labels == {'new_label': 'new_value'} - - -def test_verify_asymmetric_ec(client, project_id, location_id, key_ring_id, asymmetric_sign_ec_key_id): - message = 'my message' - - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_sign_ec_key_id, '1') - hash_ = hashlib.sha256(message.encode('utf-8')).digest() - sign_response = client.asymmetric_sign(key_version_name, {'sha256': hash_}) - - verified = verify_asymmetric_ec(project_id, location_id, key_ring_id, asymmetric_sign_ec_key_id, '1', message, sign_response.signature) - assert verified - - -def test_verify_asymmetric_rsa(client, project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id): - message = 'my message' - - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id, '1') - hash_ = hashlib.sha256(message.encode('utf-8')).digest() - sign_response = client.asymmetric_sign(key_version_name, {'sha256': hash_}) - - verified = verify_asymmetric_rsa(project_id, location_id, key_ring_id, asymmetric_sign_rsa_key_id, '1', message, sign_response.signature) - assert verified - - -def test_quickstart(project_id, location_id): - key_rings = quickstart(project_id, location_id) - assert key_rings diff --git a/kms/api-client/update_key_add_rotation.py b/kms/api-client/update_key_add_rotation.py deleted file mode 100644 index 22dd6b6622f..00000000000 --- a/kms/api-client/update_key_add_rotation.py +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_update_key_add_rotation_schedule] -def update_key_add_rotation(project_id, location_id, key_ring_id, key_id): - """ - Add a rotation schedule to an existing key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - - Returns: - CryptoKey: Updated Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Import time for getting the current time. - import time - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key name. - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # Build the key. We need to build a full proto instead of a dict due to - # https://github.com/googleapis/gapic-generator-python/issues/364. - from google.cloud.kms_v1.proto import resources_pb2 - key = resources_pb2.CryptoKey() - key.name = key_name - - # Rotate the key every 30 days. - key.rotation_period.seconds = 60*60*24*30 - - # Start the first rotation in 24 hours. - key.next_rotation_time.seconds = int(time.time()) + 60*60*24 - - # Build the update mask. - update_mask = {'paths': ['rotation_period', 'next_rotation_time']} - - # Call the API. - updated_key = client.update_crypto_key(key, update_mask) - print('Updated key: {}'.format(updated_key.name)) - return updated_key -# [END kms_update_key_add_rotation_schedule] diff --git a/kms/api-client/update_key_remove_labels.py b/kms/api-client/update_key_remove_labels.py deleted file mode 100644 index a44ab214b7a..00000000000 --- a/kms/api-client/update_key_remove_labels.py +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_update_key_remove_labels] -def update_key_remove_labels(project_id, location_id, key_ring_id, key_id): - """ - Remove labels from an existing key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - - Returns: - CryptoKey: Updated Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key name. - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # Build the key. We need to build a full proto instead of a dict due to - # https://github.com/googleapis/gapic-generator-python/issues/364. - from google.cloud.kms_v1.proto import resources_pb2 - key = resources_pb2.CryptoKey() - key.name = key_name - key.labels.clear() - - # Build the update mask. - update_mask = {'paths': ['labels']} - - # Call the API. - updated_key = client.update_crypto_key(key, update_mask) - print('Updated key: {}'.format(updated_key.name)) - return updated_key -# [END kms_update_key_remove_labels] diff --git a/kms/api-client/update_key_remove_rotation.py b/kms/api-client/update_key_remove_rotation.py deleted file mode 100644 index 7f8707eb6eb..00000000000 --- a/kms/api-client/update_key_remove_rotation.py +++ /dev/null @@ -1,53 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_update_key_remove_rotation_schedule] -def update_key_remove_rotation(project_id, location_id, key_ring_id, key_id): - """ - Remove a rotation schedule from an existing key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - - Returns: - CryptoKey: Updated Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key name. - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # Build the key. We need to build a full proto instead of a dict due to - # https://github.com/googleapis/gapic-generator-python/issues/364. - from google.cloud.kms_v1.proto import resources_pb2 - key = resources_pb2.CryptoKey() - key.name = key_name - - # Build the update mask. - update_mask = {'paths': ['rotation_period', 'next_rotation_time']} - - # Call the API. - updated_key = client.update_crypto_key(key, update_mask) - print('Updated key: {}'.format(updated_key.name)) - return updated_key -# [END kms_update_key_remove_rotation_schedule] diff --git a/kms/api-client/update_key_set_primary.py b/kms/api-client/update_key_set_primary.py deleted file mode 100644 index dd889dbd407..00000000000 --- a/kms/api-client/update_key_set_primary.py +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_update_key_set_primary] -def update_key_set_primary(project_id, location_id, key_ring_id, key_id, version_id): - """ - Update the primary version of a key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the key to make primary (e.g. '2'). - - Returns: - CryptoKey: Updated Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key name. - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # Call the API. - updated_key = client.update_crypto_key_primary_version(key_name, version_id) - print('Updated {} primary to {}'.format(updated_key.name, version_id)) - return updated_key -# [END kms_update_key_set_primary] diff --git a/kms/api-client/update_key_update_labels.py b/kms/api-client/update_key_update_labels.py deleted file mode 100644 index 21372472bc2..00000000000 --- a/kms/api-client/update_key_update_labels.py +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_update_key_update_labels] -def update_key_update_labels(project_id, location_id, key_ring_id, key_id): - """ - Update labels on an existing key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - - Returns: - CryptoKey: Updated Cloud KMS key. - - """ - - # Import the client library. - from google.cloud import kms - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key name. - key_name = client.crypto_key_path(project_id, location_id, key_ring_id, key_id) - - # Build the key. We need to build a full proto instead of a dict due to - # https://github.com/googleapis/gapic-generator-python/issues/364. - from google.cloud.kms_v1.proto import resources_pb2 - key = resources_pb2.CryptoKey() - key.name = key_name - key.labels.update({'new_label': 'new_value'}) - - # Build the update mask. - update_mask = {'paths': ['labels']} - - # Call the API. - updated_key = client.update_crypto_key(key, update_mask) - print('Updated key: {}'.format(updated_key.name)) - return updated_key -# [END kms_update_key_update_labels] diff --git a/kms/api-client/verify_asymmetric_ec.py b/kms/api-client/verify_asymmetric_ec.py deleted file mode 100644 index ac77a64b868..00000000000 --- a/kms/api-client/verify_asymmetric_ec.py +++ /dev/null @@ -1,72 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_verify_asymmetric_signature_ec] -def verify_asymmetric_ec(project_id, location_id, key_ring_id, key_id, version_id, message, signature): - """ - Verify the signature of an message signed with an asymmetric EC key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the version to use (e.g. '1'). - message (string): Original message (e.g. 'my message') - signature (bytes): Signature from a sign request. - - Returns: - bool: True if verified, False otherwise - - """ - - # Import the client library. - from google.cloud import kms - - # Import cryptographic helpers from the cryptography package. - from cryptography.exceptions import InvalidSignature - from cryptography.hazmat.backends import default_backend - from cryptography.hazmat.primitives import hashes, serialization - from cryptography.hazmat.primitives.asymmetric import ec, utils - - # Import hashlib. - import hashlib - - # Convert the message to bytes. - message_bytes = message.encode('utf-8') - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Get the public key. - public_key = client.get_public_key(key_version_name) - - # Extract and parse the public key as a PEM-encoded RSA key. - pem = public_key.pem.encode('utf-8') - ec_key = serialization.load_pem_public_key(pem, default_backend()) - hash_ = hashlib.sha256(message_bytes).digest() - - # Attempt to verify. - try: - sha256 = hashes.SHA256() - ec_key.verify(signature, hash_, ec.ECDSA(utils.Prehashed(sha256))) - print('Signature verified') - return True - except InvalidSignature: - print('Signature failed to verify') - return False -# [END kms_verify_asymmetric_signature_ec] diff --git a/kms/api-client/verify_asymmetric_rsa.py b/kms/api-client/verify_asymmetric_rsa.py deleted file mode 100644 index 6df3d862f83..00000000000 --- a/kms/api-client/verify_asymmetric_rsa.py +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and - - -# [START kms_verify_asymmetric_signature_rsa] -def verify_asymmetric_rsa(project_id, location_id, key_ring_id, key_id, version_id, message, signature): - """ - Verify the signature of an message signed with an asymmetric RSA key. - - Args: - project_id (string): Google Cloud project ID (e.g. 'my-project'). - location_id (string): Cloud KMS location (e.g. 'us-east1'). - key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring'). - key_id (string): ID of the key to use (e.g. 'my-key'). - version_id (string): ID of the version to use (e.g. '1'). - message (string): Original message (e.g. 'my message') - signature (bytes): Signature from a sign request. - - Returns: - bool: True if verified, False otherwise - - """ - - # Import the client library. - from google.cloud import kms - - # Import cryptographic helpers from the cryptography package. - from cryptography.exceptions import InvalidSignature - from cryptography.hazmat.backends import default_backend - from cryptography.hazmat.primitives import hashes, serialization - from cryptography.hazmat.primitives.asymmetric import padding, utils - - # Import hashlib. - import hashlib - - # Convert the message to bytes. - message_bytes = message.encode('utf-8') - - # Create the client. - client = kms.KeyManagementServiceClient() - - # Build the key version name. - key_version_name = client.crypto_key_version_path(project_id, location_id, key_ring_id, key_id, version_id) - - # Get the public key. - public_key = client.get_public_key(key_version_name) - - # Extract and parse the public key as a PEM-encoded RSA key. - pem = public_key.pem.encode('utf-8') - rsa_key = serialization.load_pem_public_key(pem, default_backend()) - hash_ = hashlib.sha256(message_bytes).digest() - - # Attempt to verify. - try: - sha256 = hashes.SHA256() - pad = padding.PKCS1v15() - rsa_key.verify(signature, hash_, pad, utils.Prehashed(sha256)) - print('Signature verified') - return True - except InvalidSignature: - print('Signature failed to verify') - return False -# [END kms_verify_asymmetric_signature_rsa] diff --git a/kms/attestations/README.rst b/kms/attestations/README.rst deleted file mode 100644 index dddddfbcd7d..00000000000 --- a/kms/attestations/README.rst +++ /dev/null @@ -1,74 +0,0 @@ -.. This file is automatically generated. Do not edit this file directly. - -Google Cloud Key Management Service Python Samples -=============================================================================== - -.. image:: https://gstatic.com/cloudssh/images/open-btn.png - :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=kms/attestations/README.rst - - -This directory contains samples for Google Cloud Key Management Service. The `Cloud Key Management Service`_ allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. - - - - -.. _Google Cloud Key Management Service: https://cloud.google.com/kms/docs/ - -Setup -------------------------------------------------------------------------------- - - -Install Dependencies -++++++++++++++++++++ - -#. Clone python-docs-samples and change directory to the sample directory you want to use. - - .. code-block:: bash - - $ git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git - -#. Install `pip`_ and `virtualenv`_ if you do not already have them. You may want to refer to the `Python Development Environment Setup Guide`_ for Google Cloud Platform for instructions. - - .. _Python Development Environment Setup Guide: - https://cloud.google.com/python/setup - -#. Create a virtualenv. Samples are compatible with Python 2.7 and 3.4+. - - .. code-block:: bash - - $ virtualenv env - $ source env/bin/activate - -#. Install the dependencies needed to run the samples. - - .. code-block:: bash - - $ pip install -r requirements.txt - -.. _pip: https://pip.pypa.io/ -.. _virtualenv: https://virtualenv.pypa.io/ - -Samples -------------------------------------------------------------------------------- - -Verify attestations for keys generated by Cloud HSM -+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - -.. image:: https://gstatic.com/cloudssh/images/open-btn.png - :target: https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/python-docs-samples&page=editor&open_in_editor=kms/attestations/verify_attestation.py,kms/attestations/README.rst - - - - -To run this sample: - -.. code-block:: bash - - $ python verify_attestation.py - - - - - - -.. _Google Cloud SDK: https://cloud.google.com/sdk/ \ No newline at end of file diff --git a/kms/attestations/README.rst.in b/kms/attestations/README.rst.in deleted file mode 100644 index 3e188a17a5e..00000000000 --- a/kms/attestations/README.rst.in +++ /dev/null @@ -1,19 +0,0 @@ -# This file is used to generate README.rst - -product: - name: Google Cloud Key Management Service - short_name: Cloud Key Management Service - url: https://cloud.google.com/kms/docs/ - description: > - The `Cloud Key Management Service`_ allows you to create, import, and manage - cryptographic keys and perform cryptographic operations in a single centralized cloud service. - -setup: -- install_deps - -samples: -- name: Verify attestations for keys generated by Cloud HSM - file: verify_attestation.py - show_help: True - -folder: kms/attestations diff --git a/kms/attestations/requirements-test.txt b/kms/attestations/requirements-test.txt deleted file mode 100644 index d3e30fa6c73..00000000000 --- a/kms/attestations/requirements-test.txt +++ /dev/null @@ -1 +0,0 @@ -pytest==5.4.1 diff --git a/kms/attestations/requirements.txt b/kms/attestations/requirements.txt deleted file mode 100644 index 9f3e724fee1..00000000000 --- a/kms/attestations/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -cryptography==2.9.2 -pem==20.1.0 diff --git a/kms/attestations/verify_attestation.py b/kms/attestations/verify_attestation.py deleted file mode 100644 index e534ad9eecb..00000000000 --- a/kms/attestations/verify_attestation.py +++ /dev/null @@ -1,86 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2020 Google, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -"""This application verifies HSM attestations using certificate bundles -obtained from Cloud HSM. - -For more information, visit https://cloud.google.com/kms/docs/attest-key. -""" - -# [START verify_attestations] -import argparse -import gzip - -from cryptography import exceptions -from cryptography import x509 -from cryptography.hazmat import backends -from cryptography.hazmat.primitives.asymmetric import padding -import pem - - -def verify(attestation_file, bundle_file): - """Verifies an attestation using a bundle of certificates. - - Args: - attestation_file: The name of the attestation file. - bundle_file: The name of the bundle file containing the certificates - used to verify the attestation. - - Returns: - True if at least one of the certificates in bundle_file can verify the - attestation data and its signature. - """ - with gzip.open(attestation_file, 'rb') as f: - # An attestation file consists of a data portion and a 256 byte - # signature portion concatenated together. - attestation = f.read() - # Separate the components. - data = attestation[:-256] - signature = attestation[-256:] - - # Verify the attestation with one of the certificates in the bundle - for cert in pem.parse_file(bundle_file): - cert_obj = x509.load_pem_x509_certificate( - str(cert).encode('utf-8'), backends.default_backend()) - try: - # Check if the data was signed by the private key assosicated - # with the public key in the certificate. The data should have - # been signed with PKCS1v15 padding. - cert_obj.public_key().verify( - signature, data, padding.PKCS1v15(), - cert_obj.signature_hash_algorithm) - return True - except exceptions.InvalidSignature: - # Certificate bundles contain certificates that will not be - # able to verify the attestation, so the InvalidSignature - # errors can be ignored. - continue - return False -# [END verify_attestations] - - -if __name__ == '__main__': - parser = argparse.ArgumentParser( - description=__doc__) - parser.add_argument('attestation_file', help="Name of attestation file.") - parser.add_argument('bundle_file', help="Name of certificate bundle file.") - - args = parser.parse_args() - - if verify(args.attestation_file, args.bundle_file): - print('Signature verified.') - else: - print('Signature verification failed.') diff --git a/kms/attestations/verify_attestation_test.py b/kms/attestations/verify_attestation_test.py deleted file mode 100644 index 5cdc5ef2dee..00000000000 --- a/kms/attestations/verify_attestation_test.py +++ /dev/null @@ -1,109 +0,0 @@ -# Copyright 2020 Google, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import tempfile - -import verify_attestation - -# Test certificate bundles can be generated with the following steps: -# 1. Generate test key pairs. -# - openssl genrsa -out test1.key 2048 -# - openssl genrsa -out test2.key 2048 -# 2. Generate test certificates using the key pairs. -# - openssl req -x509 -key test1.key -days 3650 -out test1.pem -# - openssl req -x509 -key test2.key -days 3650 -out test2.pem -# 3. Create a bundle using the test certificates. -# - cat test1.pem test2.pem > bundle.pem -# For instructions on downloading certificate bundles from Cloud HSM, refer to: -# https://cloud.google.com/kms/docs/attest-key#downloading_the_certificates -TEST_CERT_BUNDLE = b"""-----BEGIN CERTIFICATE----- -MIIDZDCCAkwCFE2PSNf++wMw+Jv86m41lbsa9aUMMA0GCSqGSIb3DQEBCwUAMFkx -CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl -cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMMCVRlc3QgQ2FyZDAeFw0yMDAz -MzEyMTQ0MjNaFw0zMDAzMjkyMTQ0MjNaMIGDMQswCQYDVQQGEwJBVTETMBEGA1UE -CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk -MSMwIQYDVQQLDBpjbG91ZC1rbXMtcHJvZC11cy1jZW50cmFsMTEXMBUGA1UEAwwO -VGVzdCBQYXJ0aXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDh -cOk8hil8G4vl66jb02eXu2rKO6PmNF1GziXtzawyhx/+PDmEuGu+g/8hpivY6vDr -buAMFs8OIBBBlfED/soVANflXktDRGqWJau+rIrw9EGcclcwzlIboIi6KLPcLih0 -N0TTxqRLgy2EsEQ6UKS7su4bOIxD3Z6FSeTsoq+C2sgSWXmLitO0iRYYcgRjoyCU -kdzzO/JCwPKhhQx5NUrrHseALaIltG4D0aWLuBZKyV38yA1XEMdyCGk7RedEYC+v -OzaJrNToQBCIaCdn3F0uqJd49irLNPyQ5CY3NNL8rupJSq3iVxhEIZ8ANaU8UDvo -5iaQNKV1/KiQsXfUW6fbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIIGB0aXhd6k -xyWgYzJ0DHpYP2ALwHRWXde5PtEkdHDguPlUTzZ5iTfqOJlEeUXlDO9RV82jc4mE -hguCaMl3Q+2JGLJLCnSDgcaY5WAVBF9FSakdbHBj4Ik9L8NDlUQB6Me4d4gKWpg1 -bUD4n2KtvCZGZzA3pfRBcYyAbwC+xEi1XrITyshb0pkjsWO4Urg36W/RpkCiYAw0 -Xua0jJMG/wcF+xktd7kgcsBh5Es2VCzyQwisXoOIi3EY7lMJK2+ctjQFy1GxumBU -jBlXj0VjAm3QOVLTh3mfb1XofoIjOOYkMBjXMiQhFy/Lv68u5q7qlEYe92OKxkCO -0UaAcqt8+QM= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDRjCCAi4CFBVm+eV+oRkaYq2NyuTfwxWapjFOMA0GCSqGSIb3DQEBCwUAMGYx -CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl -cm5ldCBXaWRnaXRzIFB0eSBMdGQxHzAdBgNVBAMMFlRlc3QgTWFudWZhY3R1cmVy -IFJvb3QwHhcNMjAwMzMxMjE0MjU1WhcNMzAwMzI5MjE0MjU1WjBZMQswCQYDVQQG -EwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lk -Z2l0cyBQdHkgTHRkMRIwEAYDVQQDDAlUZXN0IENhcmQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQC28Wu0dusN6AYkYon8RIuHlJWWwZWlTxXSMK4v/IOY -pG9F2/gUEDMQOgpyCCpTc5eLHRPa/Z2QgB0c2VSlQC8FZ1l9/YL7uBTJ0UpDoBf8 -LUimIqotneXpL+7CW1kWFLZIgpm0iVuTPjV2b3frtvu0B+nYuyo4dtToebqoOKse -F3ymLsAjSqA9aoCD0XbspAkLJIvdQU28vXY4Y2y0OTGUnaQ7ZDwkNLxeAfeIdNJD -FRCcYsLRopsyptFMYLLDrI70gywAGYaGOxYG8747BIZELyT5Gnt0o7JwpuF8Mi53 -T5NGiu5/wLwXnxRRhb3M5+lStdTfvbEfgK1mC0ac8ym5AgMBAAEwDQYJKoZIhvcN -AQELBQADggEBAILH0Q8WlgaGBosPBjnpAsp4eZOfq9skKZERYzFA2wBAy4B0q9/S -3oL1MIZEU6/ckiFyAm3r4/ZxMLX0UrisuRQUFQ3w+gqFccqlmGETsZGJpPtfIm+n -JQo44XXnTHndqoYPNfvfQkp0WtJQS8hSgTASP+1GYjqOn1fZaa28m39/mx9Mrw7K -xtXOtrdKqJhWCWJPprfC5sYNCYTA2HXVmBU2Y4AP4A4w+A1gCAdzvH8EEyDjnvxJ -GEa4uczhA3n+NmhLipg1aGbxJO5ZHXdyFF2rTXVVXSiX8EEasnwcTDjeXDKhdpu6 -biaxW9fnsJIXirAE03FFkC/tWelkGFkmMfs= ------END CERTIFICATE-----""" - -# Test attestations can be generated with the following steps: -# 1. Create a file containing the test attestation statement. -# - echo "content" > attestation.dat -# 2. Sign the file with one the key pairs used to create the test certificates. -# - openssl dgst -sha256 -sign test1.key -out signature.dat attestation.dat -# 3. Concatenate the signature to the statement to create an attestation. -# - cat signature.dat >> attestation.dat -# 4. Compress the test attestation. -# - gzip attestation.dat -# For instructions on downloading attestations from Cloud HSM, refer to: -# https://cloud.google.com/kms/docs/attest-key#downloading_the_attestation_statement -TEST_ATTESTATION_GZ = ( - b'\x1f\x8b\x08\x08\xda\xde\x84^\x00\x03attestation\x00\x01\x06\x01\xf9\xfe' - b'\x15\xa7~W\xdazHq03\x95\xd1F\xcf\x1d\n\xe0\xbbv\x11\xed\xae\x186\xc0\xcc' - b'.\xcf)\xf1?\xf7!\xf3\xd6M\x85\xfe\xb9\x84\xb2\x08V2(\xa1\x87]\xab\x01=' - b'\xb5\x0f)~\x06\xee\xfa/\x94\xa6x\x96o\xb1\xcb$\x82\x90\xe03J\t\x03\xf0' - b'\xa4\xa5\xa9\xf9\xb2\xce\xdd2\xfam\x94W\x07\x00~\xa5\xc2\xcdq\xa1\x81' - b'\x18\x83\xe0\xd9\x11k]\xbd\xf8\x81@\x9c*\x80\x91R\xb0\xae\x9d\x88\xb8T' - b'\xd1>\xf6;\xe4\x83q%_\x8aw\x894\xb5:\xeab\xd2\x9a\x81\xdd\xa6\xf9\x94' - b'\xff8\xb1\xed\x7fs\x0e\xc0\xde\x89\x00]\x8fL\x82\x8a\x11\x8f\\\xe483\x9d' - b'&\x0b%\xfd\x0et\x8f\xa8\x1a\xb5K\xb4\xc7\x96\xd1}\x06\xdd\x93i\x1f\xc1@' - b'\x92\xef}(B\x0f\xd1\x03\xaaYo\x9b\xad\xa9zw#\xc8\x9a\xad\x94\xfc\x07q]x' - b'\xeb\xa2CA\xf8\xac\x96\xd9\xe5y4\xae]\x81\xb0$\x93\tx\xdb\xcc\x08:%\x1d' - b'\xe2q\xaa\xc8:\xc2