From 4b7c9f96a73fba8b825f8c7cfabc748728c0eb62 Mon Sep 17 00:00:00 2001 From: "gcf-owl-bot[bot]" <78513119+gcf-owl-bot[bot]@users.noreply.github.com> Date: Sat, 7 Aug 2021 11:52:25 +0000 Subject: [PATCH] feat: add support for HMAC, Variable Key Destruction, and GenerateRandom (#157) PiperOrigin-RevId: 389008671 Source-Link: https://github.com/googleapis/googleapis/commit/2efb6951f151116fb7b5766fb4e377db465d49e9 Source-Link: https://github.com/googleapis/googleapis-gen/commit/e2b2b87aab8ac70936fdb5fd61cb4e566530ca66 --- google/cloud/kms/__init__.py | 12 + google/cloud/kms_v1/__init__.py | 12 + google/cloud/kms_v1/gapic_metadata.json | 30 + .../key_management_service/async_client.py | 586 +++++-- .../services/key_management_service/client.py | 544 ++++-- .../key_management_service/transports/base.py | 87 +- .../key_management_service/transports/grpc.py | 239 ++- .../transports/grpc_asyncio.py | 248 ++- google/cloud/kms_v1/types/__init__.py | 12 + google/cloud/kms_v1/types/resources.py | 30 + google/cloud/kms_v1/types/service.py | 478 +++++- owlbot.py | 2 +- scripts/fixup_kms_v1_keywords.py | 3 + .../kms_v1/test_key_management_service.py | 1483 +++++++++++++---- 14 files changed, 2856 insertions(+), 910 deletions(-) diff --git a/google/cloud/kms/__init__.py b/google/cloud/kms/__init__.py index e5fc329e..d2f8e067 100644 --- a/google/cloud/kms/__init__.py +++ b/google/cloud/kms/__init__.py @@ -44,6 +44,8 @@ from google.cloud.kms_v1.types.service import Digest from google.cloud.kms_v1.types.service import EncryptRequest from google.cloud.kms_v1.types.service import EncryptResponse +from google.cloud.kms_v1.types.service import GenerateRandomBytesRequest +from google.cloud.kms_v1.types.service import GenerateRandomBytesResponse from google.cloud.kms_v1.types.service import GetCryptoKeyRequest from google.cloud.kms_v1.types.service import GetCryptoKeyVersionRequest from google.cloud.kms_v1.types.service import GetImportJobRequest @@ -59,6 +61,10 @@ from google.cloud.kms_v1.types.service import ListKeyRingsRequest from google.cloud.kms_v1.types.service import ListKeyRingsResponse from google.cloud.kms_v1.types.service import LocationMetadata +from google.cloud.kms_v1.types.service import MacSignRequest +from google.cloud.kms_v1.types.service import MacSignResponse +from google.cloud.kms_v1.types.service import MacVerifyRequest +from google.cloud.kms_v1.types.service import MacVerifyResponse from google.cloud.kms_v1.types.service import RestoreCryptoKeyVersionRequest from google.cloud.kms_v1.types.service import UpdateCryptoKeyPrimaryVersionRequest from google.cloud.kms_v1.types.service import UpdateCryptoKeyRequest @@ -90,6 +96,8 @@ "Digest", "EncryptRequest", "EncryptResponse", + "GenerateRandomBytesRequest", + "GenerateRandomBytesResponse", "GetCryptoKeyRequest", "GetCryptoKeyVersionRequest", "GetImportJobRequest", @@ -105,6 +113,10 @@ "ListKeyRingsRequest", "ListKeyRingsResponse", "LocationMetadata", + "MacSignRequest", + "MacSignResponse", + "MacVerifyRequest", + "MacVerifyResponse", "RestoreCryptoKeyVersionRequest", "UpdateCryptoKeyPrimaryVersionRequest", "UpdateCryptoKeyRequest", diff --git a/google/cloud/kms_v1/__init__.py b/google/cloud/kms_v1/__init__.py index fa676dae..42ba567c 100644 --- a/google/cloud/kms_v1/__init__.py +++ b/google/cloud/kms_v1/__init__.py @@ -40,6 +40,8 @@ from .types.service import Digest from .types.service import EncryptRequest from .types.service import EncryptResponse +from .types.service import GenerateRandomBytesRequest +from .types.service import GenerateRandomBytesResponse from .types.service import GetCryptoKeyRequest from .types.service import GetCryptoKeyVersionRequest from .types.service import GetImportJobRequest @@ -55,6 +57,10 @@ from .types.service import ListKeyRingsRequest from .types.service import ListKeyRingsResponse from .types.service import LocationMetadata +from .types.service import MacSignRequest +from .types.service import MacSignResponse +from .types.service import MacVerifyRequest +from .types.service import MacVerifyResponse from .types.service import RestoreCryptoKeyVersionRequest from .types.service import UpdateCryptoKeyPrimaryVersionRequest from .types.service import UpdateCryptoKeyRequest @@ -80,6 +86,8 @@ "EncryptRequest", "EncryptResponse", "ExternalProtectionLevelOptions", + "GenerateRandomBytesRequest", + "GenerateRandomBytesResponse", "GetCryptoKeyRequest", "GetCryptoKeyVersionRequest", "GetImportJobRequest", @@ -99,6 +107,10 @@ "ListKeyRingsRequest", "ListKeyRingsResponse", "LocationMetadata", + "MacSignRequest", + "MacSignResponse", + "MacVerifyRequest", + "MacVerifyResponse", "ProtectionLevel", "PublicKey", "RestoreCryptoKeyVersionRequest", diff --git a/google/cloud/kms_v1/gapic_metadata.json b/google/cloud/kms_v1/gapic_metadata.json index da65906d..582da425 100644 --- a/google/cloud/kms_v1/gapic_metadata.json +++ b/google/cloud/kms_v1/gapic_metadata.json @@ -55,6 +55,11 @@ "encrypt" ] }, + "GenerateRandomBytes": { + "methods": [ + "generate_random_bytes" + ] + }, "GetCryptoKey": { "methods": [ "get_crypto_key" @@ -105,6 +110,16 @@ "list_key_rings" ] }, + "MacSign": { + "methods": [ + "mac_sign" + ] + }, + "MacVerify": { + "methods": [ + "mac_verify" + ] + }, "RestoreCryptoKeyVersion": { "methods": [ "restore_crypto_key_version" @@ -175,6 +190,11 @@ "encrypt" ] }, + "GenerateRandomBytes": { + "methods": [ + "generate_random_bytes" + ] + }, "GetCryptoKey": { "methods": [ "get_crypto_key" @@ -225,6 +245,16 @@ "list_key_rings" ] }, + "MacSign": { + "methods": [ + "mac_sign" + ] + }, + "MacVerify": { + "methods": [ + "mac_verify" + ] + }, "RestoreCryptoKeyVersion": { "methods": [ "restore_crypto_key_version" diff --git a/google/cloud/kms_v1/services/key_management_service/async_client.py b/google/cloud/kms_v1/services/key_management_service/async_client.py index 6e63d24c..e5593790 100644 --- a/google/cloud/kms_v1/services/key_management_service/async_client.py +++ b/google/cloud/kms_v1/services/key_management_service/async_client.py @@ -1818,6 +1818,329 @@ async def update_crypto_key_version( # Done; return the response. return response + async def update_crypto_key_primary_version( + self, + request: service.UpdateCryptoKeyPrimaryVersionRequest = None, + *, + name: str = None, + crypto_key_version_id: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.CryptoKey: + r"""Update the version of a + [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in + [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. + + Returns an error if called on a key whose purpose is not + [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + + + Args: + request (:class:`google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest`): + The request object. Request message for + [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. + name (:class:`str`): + Required. The resource name of the + [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + crypto_key_version_id (:class:`str`): + Required. The id of the child + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + to use as primary. + + This corresponds to the ``crypto_key_version_id`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.kms_v1.types.CryptoKey: + A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic + operations. + + A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made + up of zero or more + [versions][google.cloud.kms.v1.CryptoKeyVersion], + which represent the actual key material used in + cryptographic operations. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name, crypto_key_version_id]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.UpdateCryptoKeyPrimaryVersionRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + if crypto_key_version_id is not None: + request.crypto_key_version_id = crypto_key_version_id + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.update_crypto_key_primary_version, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=60.0, + ), + default_timeout=60.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + async def destroy_crypto_key_version( + self, + request: service.DestroyCryptoKeyVersionRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.CryptoKeyVersion: + r"""Schedule a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for + destruction. + + Upon calling this method, + [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] + will be set to + [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + and + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + will be set to a time 24 hours in the future, at which point the + [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be + changed to + [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], + and the key material will be irrevocably destroyed. + + Before the + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + is reached, + [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] + may be called to reverse the process. + + + Args: + request (:class:`google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest`): + The request object. Request message for + [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. + name (:class:`str`): + Required. The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + to destroy. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.kms_v1.types.CryptoKeyVersion: + A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the + associated key material. + + An + [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] + version can be used for cryptographic operations. + + For security reasons, the raw cryptographic key + material represented by a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + can never be viewed or exported. It can only be used + to encrypt, decrypt, or sign data when an authorized + user or application invokes Cloud KMS. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.DestroyCryptoKeyVersionRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.destroy_crypto_key_version, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=60.0, + ), + default_timeout=60.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + async def restore_crypto_key_version( + self, + request: service.RestoreCryptoKeyVersionRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.CryptoKeyVersion: + r"""Restore a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the + [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + state. + + Upon restoration of the CryptoKeyVersion, + [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set + to + [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], + and + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + will be cleared. + + + Args: + request (:class:`google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest`): + The request object. Request message for + [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. + name (:class:`str`): + Required. The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + to restore. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.kms_v1.types.CryptoKeyVersion: + A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the + associated key material. + + An + [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] + version can be used for cryptographic operations. + + For security reasons, the raw cryptographic key + material represented by a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + can never be viewed or exported. It can only be used + to encrypt, decrypt, or sign data when an authorized + user or application invokes Cloud KMS. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + request = service.RestoreCryptoKeyVersionRequest(request) + + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = gapic_v1.method_async.wrap_method( + self._client._transport.restore_crypto_key_version, + default_retry=retries.Retry( + initial=0.1, + maximum=60.0, + multiplier=1.3, + predicate=retries.if_exception_type( + core_exceptions.DeadlineExceeded, + core_exceptions.ServiceUnavailable, + ), + deadline=60.0, + ), + default_timeout=60.0, + client_info=DEFAULT_CLIENT_INFO, + ) + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = await rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + async def encrypt( self, request: service.EncryptRequest = None, @@ -2228,41 +2551,41 @@ async def asymmetric_decrypt( # Done; return the response. return response - async def update_crypto_key_primary_version( + async def mac_sign( self, - request: service.UpdateCryptoKeyPrimaryVersionRequest = None, + request: service.MacSignRequest = None, *, name: str = None, - crypto_key_version_id: str = None, + data: bytes = None, retry: retries.Retry = gapic_v1.method.DEFAULT, timeout: float = None, metadata: Sequence[Tuple[str, str]] = (), - ) -> resources.CryptoKey: - r"""Update the version of a - [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in - [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. - - Returns an error if called on a key whose purpose is not - [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + ) -> service.MacSignResponse: + r"""Signs data using a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, + producing a tag that can be verified by another source with the + same key. Args: - request (:class:`google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest`): + request (:class:`google.cloud.kms_v1.types.MacSignRequest`): The request object. Request message for - [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. + [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. name (:class:`str`): Required. The resource name of the - [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + to use for signing. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. - crypto_key_version_id (:class:`str`): - Required. The id of the child - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - to use as primary. + data (:class:`bytes`): + Required. The data to sign. The MAC + tag is computed over this data field + based on the specific algorithm. - This corresponds to the ``crypto_key_version_id`` field + This corresponds to the ``data`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, @@ -2272,51 +2595,35 @@ async def update_crypto_key_primary_version( sent along with the request as metadata. Returns: - google.cloud.kms_v1.types.CryptoKey: - A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic - operations. - - A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made - up of zero or more - [versions][google.cloud.kms.v1.CryptoKeyVersion], - which represent the actual key material used in - cryptographic operations. + google.cloud.kms_v1.types.MacSignResponse: + Response message for + [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. """ # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - has_flattened_params = any([name, crypto_key_version_id]) + has_flattened_params = any([name, data]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) - request = service.UpdateCryptoKeyPrimaryVersionRequest(request) + request = service.MacSignRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name - if crypto_key_version_id is not None: - request.crypto_key_version_id = crypto_key_version_id + if data is not None: + request.data = data # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = gapic_v1.method_async.wrap_method( - self._client._transport.update_crypto_key_primary_version, - default_retry=retries.Retry( - initial=0.1, - maximum=60.0, - multiplier=1.3, - predicate=retries.if_exception_type( - core_exceptions.DeadlineExceeded, - core_exceptions.ServiceUnavailable, - ), - deadline=60.0, - ), - default_timeout=60.0, + self._client._transport.mac_sign, + default_timeout=None, client_info=DEFAULT_CLIENT_INFO, ) @@ -2332,50 +2639,49 @@ async def update_crypto_key_primary_version( # Done; return the response. return response - async def destroy_crypto_key_version( + async def mac_verify( self, - request: service.DestroyCryptoKeyVersionRequest = None, + request: service.MacVerifyRequest = None, *, name: str = None, + data: bytes = None, + mac: bytes = None, retry: retries.Retry = gapic_v1.method.DEFAULT, timeout: float = None, metadata: Sequence[Tuple[str, str]] = (), - ) -> resources.CryptoKeyVersion: - r"""Schedule a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for - destruction. - - Upon calling this method, - [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] - will be set to - [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - and - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - will be set to a time 24 hours in the future, at which point the - [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be - changed to - [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], - and the key material will be irrevocably destroyed. - - Before the - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - is reached, - [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] - may be called to reverse the process. + ) -> service.MacVerifyResponse: + r"""Verifies MAC tag using a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, + and returns a response that indicates whether or not the + verification was successful. Args: - request (:class:`google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest`): + request (:class:`google.cloud.kms_v1.types.MacVerifyRequest`): The request object. Request message for - [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. + [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify]. name (:class:`str`): Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - to destroy. + to use for verification. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. + data (:class:`bytes`): + Required. The data used previously as a + [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] + to generate the MAC tag. + + This corresponds to the ``data`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + mac (:class:`bytes`): + Required. The signature to verify. + This corresponds to the ``mac`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. @@ -2383,54 +2689,37 @@ async def destroy_crypto_key_version( sent along with the request as metadata. Returns: - google.cloud.kms_v1.types.CryptoKeyVersion: - A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the - associated key material. - - An - [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] - version can be used for cryptographic operations. - - For security reasons, the raw cryptographic key - material represented by a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - can never be viewed or exported. It can only be used - to encrypt, decrypt, or sign data when an authorized - user or application invokes Cloud KMS. + google.cloud.kms_v1.types.MacVerifyResponse: + Response message for + [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify]. """ # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - has_flattened_params = any([name]) + has_flattened_params = any([name, data, mac]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) - request = service.DestroyCryptoKeyVersionRequest(request) + request = service.MacVerifyRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name + if data is not None: + request.data = data + if mac is not None: + request.mac = mac # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = gapic_v1.method_async.wrap_method( - self._client._transport.destroy_crypto_key_version, - default_retry=retries.Retry( - initial=0.1, - maximum=60.0, - multiplier=1.3, - predicate=retries.if_exception_type( - core_exceptions.DeadlineExceeded, - core_exceptions.ServiceUnavailable, - ), - deadline=60.0, - ), - default_timeout=60.0, + self._client._transport.mac_verify, + default_timeout=None, client_info=DEFAULT_CLIENT_INFO, ) @@ -2446,39 +2735,49 @@ async def destroy_crypto_key_version( # Done; return the response. return response - async def restore_crypto_key_version( + async def generate_random_bytes( self, - request: service.RestoreCryptoKeyVersionRequest = None, + request: service.GenerateRandomBytesRequest = None, *, - name: str = None, + location: str = None, + length_bytes: int = None, + protection_level: resources.ProtectionLevel = None, retry: retries.Retry = gapic_v1.method.DEFAULT, timeout: float = None, metadata: Sequence[Tuple[str, str]] = (), - ) -> resources.CryptoKeyVersion: - r"""Restore a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the - [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - state. - - Upon restoration of the CryptoKeyVersion, - [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set - to - [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], - and - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - will be cleared. + ) -> service.GenerateRandomBytesResponse: + r"""Generate random bytes using the Cloud KMS randomness + source in the provided location. Args: - request (:class:`google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest`): + request (:class:`google.cloud.kms_v1.types.GenerateRandomBytesRequest`): The request object. Request message for - [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. - name (:class:`str`): - Required. The resource name of the - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - to restore. + [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes]. + location (:class:`str`): + The project-specific location in + which to generate random bytes. For + example, "projects/my- + project/locations/us-central1". + + This corresponds to the ``location`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + length_bytes (:class:`int`): + The length in bytes of the amount of + randomness to retrieve. Minimum 8 + bytes, maximum 1024 bytes. - This corresponds to the ``name`` field + This corresponds to the ``length_bytes`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + protection_level (:class:`google.cloud.kms_v1.types.ProtectionLevel`): + The + [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + to use when generating the random data. Defaults to + [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. + + This corresponds to the ``protection_level`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, @@ -2488,61 +2787,44 @@ async def restore_crypto_key_version( sent along with the request as metadata. Returns: - google.cloud.kms_v1.types.CryptoKeyVersion: - A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the - associated key material. - - An - [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] - version can be used for cryptographic operations. - - For security reasons, the raw cryptographic key - material represented by a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - can never be viewed or exported. It can only be used - to encrypt, decrypt, or sign data when an authorized - user or application invokes Cloud KMS. + google.cloud.kms_v1.types.GenerateRandomBytesResponse: + Response message for + [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes]. """ # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - has_flattened_params = any([name]) + has_flattened_params = any([location, length_bytes, protection_level]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) - request = service.RestoreCryptoKeyVersionRequest(request) + request = service.GenerateRandomBytesRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. - if name is not None: - request.name = name + if location is not None: + request.location = location + if length_bytes is not None: + request.length_bytes = length_bytes + if protection_level is not None: + request.protection_level = protection_level # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = gapic_v1.method_async.wrap_method( - self._client._transport.restore_crypto_key_version, - default_retry=retries.Retry( - initial=0.1, - maximum=60.0, - multiplier=1.3, - predicate=retries.if_exception_type( - core_exceptions.DeadlineExceeded, - core_exceptions.ServiceUnavailable, - ), - deadline=60.0, - ), - default_timeout=60.0, + self._client._transport.generate_random_bytes, + default_timeout=None, client_info=DEFAULT_CLIENT_INFO, ) # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( - gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + gapic_v1.routing_header.to_grpc_metadata((("location", request.location),)), ) # Send the request. diff --git a/google/cloud/kms_v1/services/key_management_service/client.py b/google/cloud/kms_v1/services/key_management_service/client.py index c3e40c09..c7317018 100644 --- a/google/cloud/kms_v1/services/key_management_service/client.py +++ b/google/cloud/kms_v1/services/key_management_service/client.py @@ -1953,6 +1953,305 @@ def update_crypto_key_version( # Done; return the response. return response + def update_crypto_key_primary_version( + self, + request: service.UpdateCryptoKeyPrimaryVersionRequest = None, + *, + name: str = None, + crypto_key_version_id: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.CryptoKey: + r"""Update the version of a + [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in + [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. + + Returns an error if called on a key whose purpose is not + [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + + + Args: + request (google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest): + The request object. Request message for + [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. + name (str): + Required. The resource name of the + [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + crypto_key_version_id (str): + Required. The id of the child + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + to use as primary. + + This corresponds to the ``crypto_key_version_id`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.kms_v1.types.CryptoKey: + A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic + operations. + + A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made + up of zero or more + [versions][google.cloud.kms.v1.CryptoKeyVersion], + which represent the actual key material used in + cryptographic operations. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name, crypto_key_version_id]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.UpdateCryptoKeyPrimaryVersionRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.UpdateCryptoKeyPrimaryVersionRequest): + request = service.UpdateCryptoKeyPrimaryVersionRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + if crypto_key_version_id is not None: + request.crypto_key_version_id = crypto_key_version_id + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[ + self._transport.update_crypto_key_primary_version + ] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + def destroy_crypto_key_version( + self, + request: service.DestroyCryptoKeyVersionRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.CryptoKeyVersion: + r"""Schedule a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for + destruction. + + Upon calling this method, + [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] + will be set to + [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + and + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + will be set to a time 24 hours in the future, at which point the + [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be + changed to + [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], + and the key material will be irrevocably destroyed. + + Before the + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + is reached, + [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] + may be called to reverse the process. + + + Args: + request (google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest): + The request object. Request message for + [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. + name (str): + Required. The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + to destroy. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.kms_v1.types.CryptoKeyVersion: + A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the + associated key material. + + An + [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] + version can be used for cryptographic operations. + + For security reasons, the raw cryptographic key + material represented by a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + can never be viewed or exported. It can only be used + to encrypt, decrypt, or sign data when an authorized + user or application invokes Cloud KMS. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.DestroyCryptoKeyVersionRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.DestroyCryptoKeyVersionRequest): + request = service.DestroyCryptoKeyVersionRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[ + self._transport.destroy_crypto_key_version + ] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + + def restore_crypto_key_version( + self, + request: service.RestoreCryptoKeyVersionRequest = None, + *, + name: str = None, + retry: retries.Retry = gapic_v1.method.DEFAULT, + timeout: float = None, + metadata: Sequence[Tuple[str, str]] = (), + ) -> resources.CryptoKeyVersion: + r"""Restore a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the + [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + state. + + Upon restoration of the CryptoKeyVersion, + [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set + to + [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], + and + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + will be cleared. + + + Args: + request (google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest): + The request object. Request message for + [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. + name (str): + Required. The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + to restore. + + This corresponds to the ``name`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + retry (google.api_core.retry.Retry): Designation of what errors, if any, + should be retried. + timeout (float): The timeout for this request. + metadata (Sequence[Tuple[str, str]]): Strings which should be + sent along with the request as metadata. + + Returns: + google.cloud.kms_v1.types.CryptoKeyVersion: + A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the + associated key material. + + An + [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] + version can be used for cryptographic operations. + + For security reasons, the raw cryptographic key + material represented by a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + can never be viewed or exported. It can only be used + to encrypt, decrypt, or sign data when an authorized + user or application invokes Cloud KMS. + + """ + # Create or coerce a protobuf request object. + # Sanity check: If we got a request object, we should *not* have + # gotten any keyword arguments that map to the request. + has_flattened_params = any([name]) + if request is not None and has_flattened_params: + raise ValueError( + "If the `request` argument is set, then none of " + "the individual field arguments should be set." + ) + + # Minor optimization to avoid making a copy if the user passes + # in a service.RestoreCryptoKeyVersionRequest. + # There's no risk of modifying the input as we've already verified + # there are no flattened fields. + if not isinstance(request, service.RestoreCryptoKeyVersionRequest): + request = service.RestoreCryptoKeyVersionRequest(request) + # If we have keyword arguments corresponding to fields on the + # request, apply these. + if name is not None: + request.name = name + + # Wrap the RPC method; this adds retry and timeout information, + # and friendly error handling. + rpc = self._transport._wrapped_methods[ + self._transport.restore_crypto_key_version + ] + + # Certain fields should be provided within the metadata header; + # add these here. + metadata = tuple(metadata) + ( + gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + ) + + # Send the request. + response = rpc(request, retry=retry, timeout=timeout, metadata=metadata,) + + # Done; return the response. + return response + def encrypt( self, request: service.EncryptRequest = None, @@ -2323,41 +2622,41 @@ def asymmetric_decrypt( # Done; return the response. return response - def update_crypto_key_primary_version( + def mac_sign( self, - request: service.UpdateCryptoKeyPrimaryVersionRequest = None, + request: service.MacSignRequest = None, *, name: str = None, - crypto_key_version_id: str = None, + data: bytes = None, retry: retries.Retry = gapic_v1.method.DEFAULT, timeout: float = None, metadata: Sequence[Tuple[str, str]] = (), - ) -> resources.CryptoKey: - r"""Update the version of a - [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in - [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. - - Returns an error if called on a key whose purpose is not - [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + ) -> service.MacSignResponse: + r"""Signs data using a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, + producing a tag that can be verified by another source with the + same key. Args: - request (google.cloud.kms_v1.types.UpdateCryptoKeyPrimaryVersionRequest): + request (google.cloud.kms_v1.types.MacSignRequest): The request object. Request message for - [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. + [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. name (str): Required. The resource name of the - [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + to use for signing. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. - crypto_key_version_id (str): - Required. The id of the child - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - to use as primary. + data (bytes): + Required. The data to sign. The MAC + tag is computed over this data field + based on the specific algorithm. - This corresponds to the ``crypto_key_version_id`` field + This corresponds to the ``data`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, @@ -2367,21 +2666,15 @@ def update_crypto_key_primary_version( sent along with the request as metadata. Returns: - google.cloud.kms_v1.types.CryptoKey: - A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic - operations. - - A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made - up of zero or more - [versions][google.cloud.kms.v1.CryptoKeyVersion], - which represent the actual key material used in - cryptographic operations. + google.cloud.kms_v1.types.MacSignResponse: + Response message for + [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. """ # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - has_flattened_params = any([name, crypto_key_version_id]) + has_flattened_params = any([name, data]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " @@ -2389,23 +2682,21 @@ def update_crypto_key_primary_version( ) # Minor optimization to avoid making a copy if the user passes - # in a service.UpdateCryptoKeyPrimaryVersionRequest. + # in a service.MacSignRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. - if not isinstance(request, service.UpdateCryptoKeyPrimaryVersionRequest): - request = service.UpdateCryptoKeyPrimaryVersionRequest(request) + if not isinstance(request, service.MacSignRequest): + request = service.MacSignRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name - if crypto_key_version_id is not None: - request.crypto_key_version_id = crypto_key_version_id + if data is not None: + request.data = data # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. - rpc = self._transport._wrapped_methods[ - self._transport.update_crypto_key_primary_version - ] + rpc = self._transport._wrapped_methods[self._transport.mac_sign] # Certain fields should be provided within the metadata header; # add these here. @@ -2419,50 +2710,49 @@ def update_crypto_key_primary_version( # Done; return the response. return response - def destroy_crypto_key_version( + def mac_verify( self, - request: service.DestroyCryptoKeyVersionRequest = None, + request: service.MacVerifyRequest = None, *, name: str = None, + data: bytes = None, + mac: bytes = None, retry: retries.Retry = gapic_v1.method.DEFAULT, timeout: float = None, metadata: Sequence[Tuple[str, str]] = (), - ) -> resources.CryptoKeyVersion: - r"""Schedule a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for - destruction. - - Upon calling this method, - [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] - will be set to - [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - and - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - will be set to a time 24 hours in the future, at which point the - [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be - changed to - [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], - and the key material will be irrevocably destroyed. - - Before the - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - is reached, - [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] - may be called to reverse the process. + ) -> service.MacVerifyResponse: + r"""Verifies MAC tag using a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, + and returns a response that indicates whether or not the + verification was successful. Args: - request (google.cloud.kms_v1.types.DestroyCryptoKeyVersionRequest): + request (google.cloud.kms_v1.types.MacVerifyRequest): The request object. Request message for - [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. + [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify]. name (str): Required. The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - to destroy. + to use for verification. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. + data (bytes): + Required. The data used previously as a + [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] + to generate the MAC tag. + + This corresponds to the ``data`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + mac (bytes): + Required. The signature to verify. + This corresponds to the ``mac`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. @@ -2470,26 +2760,15 @@ def destroy_crypto_key_version( sent along with the request as metadata. Returns: - google.cloud.kms_v1.types.CryptoKeyVersion: - A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the - associated key material. - - An - [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] - version can be used for cryptographic operations. - - For security reasons, the raw cryptographic key - material represented by a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - can never be viewed or exported. It can only be used - to encrypt, decrypt, or sign data when an authorized - user or application invokes Cloud KMS. + google.cloud.kms_v1.types.MacVerifyResponse: + Response message for + [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify]. """ # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - has_flattened_params = any([name]) + has_flattened_params = any([name, data, mac]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " @@ -2497,21 +2776,23 @@ def destroy_crypto_key_version( ) # Minor optimization to avoid making a copy if the user passes - # in a service.DestroyCryptoKeyVersionRequest. + # in a service.MacVerifyRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. - if not isinstance(request, service.DestroyCryptoKeyVersionRequest): - request = service.DestroyCryptoKeyVersionRequest(request) + if not isinstance(request, service.MacVerifyRequest): + request = service.MacVerifyRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name + if data is not None: + request.data = data + if mac is not None: + request.mac = mac # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. - rpc = self._transport._wrapped_methods[ - self._transport.destroy_crypto_key_version - ] + rpc = self._transport._wrapped_methods[self._transport.mac_verify] # Certain fields should be provided within the metadata header; # add these here. @@ -2525,39 +2806,49 @@ def destroy_crypto_key_version( # Done; return the response. return response - def restore_crypto_key_version( + def generate_random_bytes( self, - request: service.RestoreCryptoKeyVersionRequest = None, + request: service.GenerateRandomBytesRequest = None, *, - name: str = None, + location: str = None, + length_bytes: int = None, + protection_level: resources.ProtectionLevel = None, retry: retries.Retry = gapic_v1.method.DEFAULT, timeout: float = None, metadata: Sequence[Tuple[str, str]] = (), - ) -> resources.CryptoKeyVersion: - r"""Restore a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the - [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - state. - - Upon restoration of the CryptoKeyVersion, - [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set - to - [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], - and - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - will be cleared. + ) -> service.GenerateRandomBytesResponse: + r"""Generate random bytes using the Cloud KMS randomness + source in the provided location. Args: - request (google.cloud.kms_v1.types.RestoreCryptoKeyVersionRequest): + request (google.cloud.kms_v1.types.GenerateRandomBytesRequest): The request object. Request message for - [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. - name (str): - Required. The resource name of the - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - to restore. + [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes]. + location (str): + The project-specific location in + which to generate random bytes. For + example, "projects/my- + project/locations/us-central1". + + This corresponds to the ``location`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + length_bytes (int): + The length in bytes of the amount of + randomness to retrieve. Minimum 8 + bytes, maximum 1024 bytes. - This corresponds to the ``name`` field + This corresponds to the ``length_bytes`` field + on the ``request`` instance; if ``request`` is provided, this + should not be set. + protection_level (google.cloud.kms_v1.types.ProtectionLevel): + The + [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + to use when generating the random data. Defaults to + [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. + + This corresponds to the ``protection_level`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, @@ -2567,26 +2858,15 @@ def restore_crypto_key_version( sent along with the request as metadata. Returns: - google.cloud.kms_v1.types.CryptoKeyVersion: - A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the - associated key material. - - An - [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] - version can be used for cryptographic operations. - - For security reasons, the raw cryptographic key - material represented by a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] - can never be viewed or exported. It can only be used - to encrypt, decrypt, or sign data when an authorized - user or application invokes Cloud KMS. + google.cloud.kms_v1.types.GenerateRandomBytesResponse: + Response message for + [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes]. """ # Create or coerce a protobuf request object. # Sanity check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. - has_flattened_params = any([name]) + has_flattened_params = any([location, length_bytes, protection_level]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " @@ -2594,26 +2874,28 @@ def restore_crypto_key_version( ) # Minor optimization to avoid making a copy if the user passes - # in a service.RestoreCryptoKeyVersionRequest. + # in a service.GenerateRandomBytesRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. - if not isinstance(request, service.RestoreCryptoKeyVersionRequest): - request = service.RestoreCryptoKeyVersionRequest(request) + if not isinstance(request, service.GenerateRandomBytesRequest): + request = service.GenerateRandomBytesRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. - if name is not None: - request.name = name + if location is not None: + request.location = location + if length_bytes is not None: + request.length_bytes = length_bytes + if protection_level is not None: + request.protection_level = protection_level # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. - rpc = self._transport._wrapped_methods[ - self._transport.restore_crypto_key_version - ] + rpc = self._transport._wrapped_methods[self._transport.generate_random_bytes] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( - gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), + gapic_v1.routing_header.to_grpc_metadata((("location", request.location),)), ) # Send the request. diff --git a/google/cloud/kms_v1/services/key_management_service/transports/base.py b/google/cloud/kms_v1/services/key_management_service/transports/base.py index f7c19304..b1287138 100644 --- a/google/cloud/kms_v1/services/key_management_service/transports/base.py +++ b/google/cloud/kms_v1/services/key_management_service/transports/base.py @@ -378,8 +378,8 @@ def _prep_wrapped_messages(self, client_info): default_timeout=60.0, client_info=client_info, ), - self.encrypt: gapic_v1.method.wrap_method( - self.encrypt, + self.update_crypto_key_primary_version: gapic_v1.method.wrap_method( + self.update_crypto_key_primary_version, default_retry=retries.Retry( initial=0.1, maximum=60.0, @@ -393,8 +393,8 @@ def _prep_wrapped_messages(self, client_info): default_timeout=60.0, client_info=client_info, ), - self.decrypt: gapic_v1.method.wrap_method( - self.decrypt, + self.destroy_crypto_key_version: gapic_v1.method.wrap_method( + self.destroy_crypto_key_version, default_retry=retries.Retry( initial=0.1, maximum=60.0, @@ -408,8 +408,8 @@ def _prep_wrapped_messages(self, client_info): default_timeout=60.0, client_info=client_info, ), - self.asymmetric_sign: gapic_v1.method.wrap_method( - self.asymmetric_sign, + self.restore_crypto_key_version: gapic_v1.method.wrap_method( + self.restore_crypto_key_version, default_retry=retries.Retry( initial=0.1, maximum=60.0, @@ -423,8 +423,8 @@ def _prep_wrapped_messages(self, client_info): default_timeout=60.0, client_info=client_info, ), - self.asymmetric_decrypt: gapic_v1.method.wrap_method( - self.asymmetric_decrypt, + self.encrypt: gapic_v1.method.wrap_method( + self.encrypt, default_retry=retries.Retry( initial=0.1, maximum=60.0, @@ -438,8 +438,8 @@ def _prep_wrapped_messages(self, client_info): default_timeout=60.0, client_info=client_info, ), - self.update_crypto_key_primary_version: gapic_v1.method.wrap_method( - self.update_crypto_key_primary_version, + self.decrypt: gapic_v1.method.wrap_method( + self.decrypt, default_retry=retries.Retry( initial=0.1, maximum=60.0, @@ -453,8 +453,8 @@ def _prep_wrapped_messages(self, client_info): default_timeout=60.0, client_info=client_info, ), - self.destroy_crypto_key_version: gapic_v1.method.wrap_method( - self.destroy_crypto_key_version, + self.asymmetric_sign: gapic_v1.method.wrap_method( + self.asymmetric_sign, default_retry=retries.Retry( initial=0.1, maximum=60.0, @@ -468,8 +468,8 @@ def _prep_wrapped_messages(self, client_info): default_timeout=60.0, client_info=client_info, ), - self.restore_crypto_key_version: gapic_v1.method.wrap_method( - self.restore_crypto_key_version, + self.asymmetric_decrypt: gapic_v1.method.wrap_method( + self.asymmetric_decrypt, default_retry=retries.Retry( initial=0.1, maximum=60.0, @@ -483,6 +483,17 @@ def _prep_wrapped_messages(self, client_info): default_timeout=60.0, client_info=client_info, ), + self.mac_sign: gapic_v1.method.wrap_method( + self.mac_sign, default_timeout=None, client_info=client_info, + ), + self.mac_verify: gapic_v1.method.wrap_method( + self.mac_verify, default_timeout=None, client_info=client_info, + ), + self.generate_random_bytes: gapic_v1.method.wrap_method( + self.generate_random_bytes, + default_timeout=None, + client_info=client_info, + ), } @property @@ -636,6 +647,33 @@ def update_crypto_key_version( ]: raise NotImplementedError() + @property + def update_crypto_key_primary_version( + self, + ) -> Callable[ + [service.UpdateCryptoKeyPrimaryVersionRequest], + Union[resources.CryptoKey, Awaitable[resources.CryptoKey]], + ]: + raise NotImplementedError() + + @property + def destroy_crypto_key_version( + self, + ) -> Callable[ + [service.DestroyCryptoKeyVersionRequest], + Union[resources.CryptoKeyVersion, Awaitable[resources.CryptoKeyVersion]], + ]: + raise NotImplementedError() + + @property + def restore_crypto_key_version( + self, + ) -> Callable[ + [service.RestoreCryptoKeyVersionRequest], + Union[resources.CryptoKeyVersion, Awaitable[resources.CryptoKeyVersion]], + ]: + raise NotImplementedError() + @property def encrypt( self, @@ -678,29 +716,32 @@ def asymmetric_decrypt( raise NotImplementedError() @property - def update_crypto_key_primary_version( + def mac_sign( self, ) -> Callable[ - [service.UpdateCryptoKeyPrimaryVersionRequest], - Union[resources.CryptoKey, Awaitable[resources.CryptoKey]], + [service.MacSignRequest], + Union[service.MacSignResponse, Awaitable[service.MacSignResponse]], ]: raise NotImplementedError() @property - def destroy_crypto_key_version( + def mac_verify( self, ) -> Callable[ - [service.DestroyCryptoKeyVersionRequest], - Union[resources.CryptoKeyVersion, Awaitable[resources.CryptoKeyVersion]], + [service.MacVerifyRequest], + Union[service.MacVerifyResponse, Awaitable[service.MacVerifyResponse]], ]: raise NotImplementedError() @property - def restore_crypto_key_version( + def generate_random_bytes( self, ) -> Callable[ - [service.RestoreCryptoKeyVersionRequest], - Union[resources.CryptoKeyVersion, Awaitable[resources.CryptoKeyVersion]], + [service.GenerateRandomBytesRequest], + Union[ + service.GenerateRandomBytesResponse, + Awaitable[service.GenerateRandomBytesResponse], + ], ]: raise NotImplementedError() diff --git a/google/cloud/kms_v1/services/key_management_service/transports/grpc.py b/google/cloud/kms_v1/services/key_management_service/transports/grpc.py index b838679e..04159013 100644 --- a/google/cloud/kms_v1/services/key_management_service/transports/grpc.py +++ b/google/cloud/kms_v1/services/key_management_service/transports/grpc.py @@ -703,6 +703,123 @@ def update_crypto_key_version( ) return self._stubs["update_crypto_key_version"] + @property + def update_crypto_key_primary_version( + self, + ) -> Callable[[service.UpdateCryptoKeyPrimaryVersionRequest], resources.CryptoKey]: + r"""Return a callable for the update crypto key primary + version method over gRPC. + + Update the version of a + [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in + [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. + + Returns an error if called on a key whose purpose is not + [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + + Returns: + Callable[[~.UpdateCryptoKeyPrimaryVersionRequest], + ~.CryptoKey]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "update_crypto_key_primary_version" not in self._stubs: + self._stubs[ + "update_crypto_key_primary_version" + ] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyPrimaryVersion", + request_serializer=service.UpdateCryptoKeyPrimaryVersionRequest.serialize, + response_deserializer=resources.CryptoKey.deserialize, + ) + return self._stubs["update_crypto_key_primary_version"] + + @property + def destroy_crypto_key_version( + self, + ) -> Callable[[service.DestroyCryptoKeyVersionRequest], resources.CryptoKeyVersion]: + r"""Return a callable for the destroy crypto key version method over gRPC. + + Schedule a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for + destruction. + + Upon calling this method, + [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] + will be set to + [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + and + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + will be set to a time 24 hours in the future, at which point the + [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be + changed to + [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], + and the key material will be irrevocably destroyed. + + Before the + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + is reached, + [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] + may be called to reverse the process. + + Returns: + Callable[[~.DestroyCryptoKeyVersionRequest], + ~.CryptoKeyVersion]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "destroy_crypto_key_version" not in self._stubs: + self._stubs["destroy_crypto_key_version"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/DestroyCryptoKeyVersion", + request_serializer=service.DestroyCryptoKeyVersionRequest.serialize, + response_deserializer=resources.CryptoKeyVersion.deserialize, + ) + return self._stubs["destroy_crypto_key_version"] + + @property + def restore_crypto_key_version( + self, + ) -> Callable[[service.RestoreCryptoKeyVersionRequest], resources.CryptoKeyVersion]: + r"""Return a callable for the restore crypto key version method over gRPC. + + Restore a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the + [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + state. + + Upon restoration of the CryptoKeyVersion, + [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set + to + [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], + and + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + will be cleared. + + Returns: + Callable[[~.RestoreCryptoKeyVersionRequest], + ~.CryptoKeyVersion]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "restore_crypto_key_version" not in self._stubs: + self._stubs["restore_crypto_key_version"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/RestoreCryptoKeyVersion", + request_serializer=service.RestoreCryptoKeyVersionRequest.serialize, + response_deserializer=resources.CryptoKeyVersion.deserialize, + ) + return self._stubs["restore_crypto_key_version"] + @property def encrypt(self) -> Callable[[service.EncryptRequest], service.EncryptResponse]: r"""Return a callable for the encrypt method over gRPC. @@ -825,22 +942,18 @@ def asymmetric_decrypt( return self._stubs["asymmetric_decrypt"] @property - def update_crypto_key_primary_version( - self, - ) -> Callable[[service.UpdateCryptoKeyPrimaryVersionRequest], resources.CryptoKey]: - r"""Return a callable for the update crypto key primary - version method over gRPC. - - Update the version of a - [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in - [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. + def mac_sign(self) -> Callable[[service.MacSignRequest], service.MacSignResponse]: + r"""Return a callable for the mac sign method over gRPC. - Returns an error if called on a key whose purpose is not - [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + Signs data using a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, + producing a tag that can be verified by another source with the + same key. Returns: - Callable[[~.UpdateCryptoKeyPrimaryVersionRequest], - ~.CryptoKey]: + Callable[[~.MacSignRequest], + ~.MacSignResponse]: A function that, when called, will call the underlying RPC on the server. """ @@ -848,47 +961,29 @@ def update_crypto_key_primary_version( # the request. # gRPC handles serialization and deserialization, so we just need # to pass in the functions for each. - if "update_crypto_key_primary_version" not in self._stubs: - self._stubs[ - "update_crypto_key_primary_version" - ] = self.grpc_channel.unary_unary( - "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyPrimaryVersion", - request_serializer=service.UpdateCryptoKeyPrimaryVersionRequest.serialize, - response_deserializer=resources.CryptoKey.deserialize, + if "mac_sign" not in self._stubs: + self._stubs["mac_sign"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/MacSign", + request_serializer=service.MacSignRequest.serialize, + response_deserializer=service.MacSignResponse.deserialize, ) - return self._stubs["update_crypto_key_primary_version"] + return self._stubs["mac_sign"] @property - def destroy_crypto_key_version( + def mac_verify( self, - ) -> Callable[[service.DestroyCryptoKeyVersionRequest], resources.CryptoKeyVersion]: - r"""Return a callable for the destroy crypto key version method over gRPC. + ) -> Callable[[service.MacVerifyRequest], service.MacVerifyResponse]: + r"""Return a callable for the mac verify method over gRPC. - Schedule a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for - destruction. - - Upon calling this method, - [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] - will be set to - [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - and - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - will be set to a time 24 hours in the future, at which point the - [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be - changed to - [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], - and the key material will be irrevocably destroyed. - - Before the - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - is reached, - [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] - may be called to reverse the process. + Verifies MAC tag using a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, + and returns a response that indicates whether or not the + verification was successful. Returns: - Callable[[~.DestroyCryptoKeyVersionRequest], - ~.CryptoKeyVersion]: + Callable[[~.MacVerifyRequest], + ~.MacVerifyResponse]: A function that, when called, will call the underlying RPC on the server. """ @@ -896,36 +991,28 @@ def destroy_crypto_key_version( # the request. # gRPC handles serialization and deserialization, so we just need # to pass in the functions for each. - if "destroy_crypto_key_version" not in self._stubs: - self._stubs["destroy_crypto_key_version"] = self.grpc_channel.unary_unary( - "/google.cloud.kms.v1.KeyManagementService/DestroyCryptoKeyVersion", - request_serializer=service.DestroyCryptoKeyVersionRequest.serialize, - response_deserializer=resources.CryptoKeyVersion.deserialize, + if "mac_verify" not in self._stubs: + self._stubs["mac_verify"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/MacVerify", + request_serializer=service.MacVerifyRequest.serialize, + response_deserializer=service.MacVerifyResponse.deserialize, ) - return self._stubs["destroy_crypto_key_version"] + return self._stubs["mac_verify"] @property - def restore_crypto_key_version( + def generate_random_bytes( self, - ) -> Callable[[service.RestoreCryptoKeyVersionRequest], resources.CryptoKeyVersion]: - r"""Return a callable for the restore crypto key version method over gRPC. - - Restore a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the - [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - state. + ) -> Callable[ + [service.GenerateRandomBytesRequest], service.GenerateRandomBytesResponse + ]: + r"""Return a callable for the generate random bytes method over gRPC. - Upon restoration of the CryptoKeyVersion, - [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set - to - [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], - and - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - will be cleared. + Generate random bytes using the Cloud KMS randomness + source in the provided location. Returns: - Callable[[~.RestoreCryptoKeyVersionRequest], - ~.CryptoKeyVersion]: + Callable[[~.GenerateRandomBytesRequest], + ~.GenerateRandomBytesResponse]: A function that, when called, will call the underlying RPC on the server. """ @@ -933,13 +1020,13 @@ def restore_crypto_key_version( # the request. # gRPC handles serialization and deserialization, so we just need # to pass in the functions for each. - if "restore_crypto_key_version" not in self._stubs: - self._stubs["restore_crypto_key_version"] = self.grpc_channel.unary_unary( - "/google.cloud.kms.v1.KeyManagementService/RestoreCryptoKeyVersion", - request_serializer=service.RestoreCryptoKeyVersionRequest.serialize, - response_deserializer=resources.CryptoKeyVersion.deserialize, + if "generate_random_bytes" not in self._stubs: + self._stubs["generate_random_bytes"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/GenerateRandomBytes", + request_serializer=service.GenerateRandomBytesRequest.serialize, + response_deserializer=service.GenerateRandomBytesResponse.deserialize, ) - return self._stubs["restore_crypto_key_version"] + return self._stubs["generate_random_bytes"] @property def set_iam_policy( diff --git a/google/cloud/kms_v1/services/key_management_service/transports/grpc_asyncio.py b/google/cloud/kms_v1/services/key_management_service/transports/grpc_asyncio.py index 66a578e4..09319509 100644 --- a/google/cloud/kms_v1/services/key_management_service/transports/grpc_asyncio.py +++ b/google/cloud/kms_v1/services/key_management_service/transports/grpc_asyncio.py @@ -723,6 +723,129 @@ def update_crypto_key_version( ) return self._stubs["update_crypto_key_version"] + @property + def update_crypto_key_primary_version( + self, + ) -> Callable[ + [service.UpdateCryptoKeyPrimaryVersionRequest], Awaitable[resources.CryptoKey] + ]: + r"""Return a callable for the update crypto key primary + version method over gRPC. + + Update the version of a + [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in + [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. + + Returns an error if called on a key whose purpose is not + [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + + Returns: + Callable[[~.UpdateCryptoKeyPrimaryVersionRequest], + Awaitable[~.CryptoKey]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "update_crypto_key_primary_version" not in self._stubs: + self._stubs[ + "update_crypto_key_primary_version" + ] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyPrimaryVersion", + request_serializer=service.UpdateCryptoKeyPrimaryVersionRequest.serialize, + response_deserializer=resources.CryptoKey.deserialize, + ) + return self._stubs["update_crypto_key_primary_version"] + + @property + def destroy_crypto_key_version( + self, + ) -> Callable[ + [service.DestroyCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion] + ]: + r"""Return a callable for the destroy crypto key version method over gRPC. + + Schedule a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for + destruction. + + Upon calling this method, + [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] + will be set to + [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + and + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + will be set to a time 24 hours in the future, at which point the + [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be + changed to + [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], + and the key material will be irrevocably destroyed. + + Before the + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + is reached, + [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] + may be called to reverse the process. + + Returns: + Callable[[~.DestroyCryptoKeyVersionRequest], + Awaitable[~.CryptoKeyVersion]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "destroy_crypto_key_version" not in self._stubs: + self._stubs["destroy_crypto_key_version"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/DestroyCryptoKeyVersion", + request_serializer=service.DestroyCryptoKeyVersionRequest.serialize, + response_deserializer=resources.CryptoKeyVersion.deserialize, + ) + return self._stubs["destroy_crypto_key_version"] + + @property + def restore_crypto_key_version( + self, + ) -> Callable[ + [service.RestoreCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion] + ]: + r"""Return a callable for the restore crypto key version method over gRPC. + + Restore a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the + [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + state. + + Upon restoration of the CryptoKeyVersion, + [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set + to + [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], + and + [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] + will be cleared. + + Returns: + Callable[[~.RestoreCryptoKeyVersionRequest], + Awaitable[~.CryptoKeyVersion]]: + A function that, when called, will call the underlying RPC + on the server. + """ + # Generate a "stub function" on-the-fly which will actually make + # the request. + # gRPC handles serialization and deserialization, so we just need + # to pass in the functions for each. + if "restore_crypto_key_version" not in self._stubs: + self._stubs["restore_crypto_key_version"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/RestoreCryptoKeyVersion", + request_serializer=service.RestoreCryptoKeyVersionRequest.serialize, + response_deserializer=resources.CryptoKeyVersion.deserialize, + ) + return self._stubs["restore_crypto_key_version"] + @property def encrypt( self, @@ -851,24 +974,20 @@ def asymmetric_decrypt( return self._stubs["asymmetric_decrypt"] @property - def update_crypto_key_primary_version( + def mac_sign( self, - ) -> Callable[ - [service.UpdateCryptoKeyPrimaryVersionRequest], Awaitable[resources.CryptoKey] - ]: - r"""Return a callable for the update crypto key primary - version method over gRPC. + ) -> Callable[[service.MacSignRequest], Awaitable[service.MacSignResponse]]: + r"""Return a callable for the mac sign method over gRPC. - Update the version of a - [CryptoKey][google.cloud.kms.v1.CryptoKey] that will be used in - [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. - - Returns an error if called on a key whose purpose is not - [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT]. + Signs data using a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, + producing a tag that can be verified by another source with the + same key. Returns: - Callable[[~.UpdateCryptoKeyPrimaryVersionRequest], - Awaitable[~.CryptoKey]]: + Callable[[~.MacSignRequest], + Awaitable[~.MacSignResponse]]: A function that, when called, will call the underlying RPC on the server. """ @@ -876,49 +995,29 @@ def update_crypto_key_primary_version( # the request. # gRPC handles serialization and deserialization, so we just need # to pass in the functions for each. - if "update_crypto_key_primary_version" not in self._stubs: - self._stubs[ - "update_crypto_key_primary_version" - ] = self.grpc_channel.unary_unary( - "/google.cloud.kms.v1.KeyManagementService/UpdateCryptoKeyPrimaryVersion", - request_serializer=service.UpdateCryptoKeyPrimaryVersionRequest.serialize, - response_deserializer=resources.CryptoKey.deserialize, + if "mac_sign" not in self._stubs: + self._stubs["mac_sign"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/MacSign", + request_serializer=service.MacSignRequest.serialize, + response_deserializer=service.MacSignResponse.deserialize, ) - return self._stubs["update_crypto_key_primary_version"] + return self._stubs["mac_sign"] @property - def destroy_crypto_key_version( + def mac_verify( self, - ) -> Callable[ - [service.DestroyCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion] - ]: - r"""Return a callable for the destroy crypto key version method over gRPC. - - Schedule a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] for - destruction. - - Upon calling this method, - [CryptoKeyVersion.state][google.cloud.kms.v1.CryptoKeyVersion.state] - will be set to - [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - and - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - will be set to a time 24 hours in the future, at which point the - [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be - changed to - [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED], - and the key material will be irrevocably destroyed. + ) -> Callable[[service.MacVerifyRequest], Awaitable[service.MacVerifyResponse]]: + r"""Return a callable for the mac verify method over gRPC. - Before the - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - is reached, - [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion] - may be called to reverse the process. + Verifies MAC tag using a + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] with + [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] MAC, + and returns a response that indicates whether or not the + verification was successful. Returns: - Callable[[~.DestroyCryptoKeyVersionRequest], - Awaitable[~.CryptoKeyVersion]]: + Callable[[~.MacVerifyRequest], + Awaitable[~.MacVerifyResponse]]: A function that, when called, will call the underlying RPC on the server. """ @@ -926,38 +1025,29 @@ def destroy_crypto_key_version( # the request. # gRPC handles serialization and deserialization, so we just need # to pass in the functions for each. - if "destroy_crypto_key_version" not in self._stubs: - self._stubs["destroy_crypto_key_version"] = self.grpc_channel.unary_unary( - "/google.cloud.kms.v1.KeyManagementService/DestroyCryptoKeyVersion", - request_serializer=service.DestroyCryptoKeyVersionRequest.serialize, - response_deserializer=resources.CryptoKeyVersion.deserialize, + if "mac_verify" not in self._stubs: + self._stubs["mac_verify"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/MacVerify", + request_serializer=service.MacVerifyRequest.serialize, + response_deserializer=service.MacVerifyResponse.deserialize, ) - return self._stubs["destroy_crypto_key_version"] + return self._stubs["mac_verify"] @property - def restore_crypto_key_version( + def generate_random_bytes( self, ) -> Callable[ - [service.RestoreCryptoKeyVersionRequest], Awaitable[resources.CryptoKeyVersion] + [service.GenerateRandomBytesRequest], + Awaitable[service.GenerateRandomBytesResponse], ]: - r"""Return a callable for the restore crypto key version method over gRPC. + r"""Return a callable for the generate random bytes method over gRPC. - Restore a - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the - [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] - state. - - Upon restoration of the CryptoKeyVersion, - [state][google.cloud.kms.v1.CryptoKeyVersion.state] will be set - to - [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED], - and - [destroy_time][google.cloud.kms.v1.CryptoKeyVersion.destroy_time] - will be cleared. + Generate random bytes using the Cloud KMS randomness + source in the provided location. Returns: - Callable[[~.RestoreCryptoKeyVersionRequest], - Awaitable[~.CryptoKeyVersion]]: + Callable[[~.GenerateRandomBytesRequest], + Awaitable[~.GenerateRandomBytesResponse]]: A function that, when called, will call the underlying RPC on the server. """ @@ -965,13 +1055,13 @@ def restore_crypto_key_version( # the request. # gRPC handles serialization and deserialization, so we just need # to pass in the functions for each. - if "restore_crypto_key_version" not in self._stubs: - self._stubs["restore_crypto_key_version"] = self.grpc_channel.unary_unary( - "/google.cloud.kms.v1.KeyManagementService/RestoreCryptoKeyVersion", - request_serializer=service.RestoreCryptoKeyVersionRequest.serialize, - response_deserializer=resources.CryptoKeyVersion.deserialize, + if "generate_random_bytes" not in self._stubs: + self._stubs["generate_random_bytes"] = self.grpc_channel.unary_unary( + "/google.cloud.kms.v1.KeyManagementService/GenerateRandomBytes", + request_serializer=service.GenerateRandomBytesRequest.serialize, + response_deserializer=service.GenerateRandomBytesResponse.deserialize, ) - return self._stubs["restore_crypto_key_version"] + return self._stubs["generate_random_bytes"] @property def set_iam_policy( diff --git a/google/cloud/kms_v1/types/__init__.py b/google/cloud/kms_v1/types/__init__.py index 13ffe5c9..85c10803 100644 --- a/google/cloud/kms_v1/types/__init__.py +++ b/google/cloud/kms_v1/types/__init__.py @@ -39,6 +39,8 @@ Digest, EncryptRequest, EncryptResponse, + GenerateRandomBytesRequest, + GenerateRandomBytesResponse, GetCryptoKeyRequest, GetCryptoKeyVersionRequest, GetImportJobRequest, @@ -54,6 +56,10 @@ ListKeyRingsRequest, ListKeyRingsResponse, LocationMetadata, + MacSignRequest, + MacSignResponse, + MacVerifyRequest, + MacVerifyResponse, RestoreCryptoKeyVersionRequest, UpdateCryptoKeyPrimaryVersionRequest, UpdateCryptoKeyRequest, @@ -84,6 +90,8 @@ "Digest", "EncryptRequest", "EncryptResponse", + "GenerateRandomBytesRequest", + "GenerateRandomBytesResponse", "GetCryptoKeyRequest", "GetCryptoKeyVersionRequest", "GetImportJobRequest", @@ -99,6 +107,10 @@ "ListKeyRingsRequest", "ListKeyRingsResponse", "LocationMetadata", + "MacSignRequest", + "MacSignResponse", + "MacVerifyRequest", + "MacVerifyResponse", "RestoreCryptoKeyVersionRequest", "UpdateCryptoKeyPrimaryVersionRequest", "UpdateCryptoKeyRequest", diff --git a/google/cloud/kms_v1/types/resources.py b/google/cloud/kms_v1/types/resources.py index ad94bfa8..294a43fe 100644 --- a/google/cloud/kms_v1/types/resources.py +++ b/google/cloud/kms_v1/types/resources.py @@ -150,6 +150,17 @@ class CryptoKey(proto.Message): Labels with user-defined metadata. For more information, see `Labeling Keys `__. + import_only (bool): + Immutable. Whether this key may contain + imported versions only. + destroy_scheduled_duration (google.protobuf.duration_pb2.Duration): + Immutable. The period of time that versions of this key + spend in the + [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED] + state before transitioning to + [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED]. + If not specified at creation time, the default duration is + 24 hours. """ class CryptoKeyPurpose(proto.Enum): @@ -164,6 +175,7 @@ class CryptoKeyPurpose(proto.Enum): ENCRYPT_DECRYPT = 1 ASYMMETRIC_SIGN = 5 ASYMMETRIC_DECRYPT = 6 + MAC = 9 name = proto.Field(proto.STRING, number=1,) primary = proto.Field(proto.MESSAGE, number=2, message="CryptoKeyVersion",) @@ -182,6 +194,10 @@ class CryptoKeyPurpose(proto.Enum): proto.MESSAGE, number=11, message="CryptoKeyVersionTemplate", ) labels = proto.MapField(proto.STRING, proto.STRING, number=10,) + import_only = proto.Field(proto.BOOL, number=13,) + destroy_scheduled_duration = proto.Field( + proto.MESSAGE, number=14, message=duration_pb2.Duration, + ) class CryptoKeyVersionTemplate(proto.Message): @@ -368,6 +384,13 @@ class CryptoKeyVersionAlgorithm(proto.Enum): The fields in the name after "EC_SIGN\_" correspond to the following parameters: elliptic curve, digest algorithm. + Algorithms beginning with "HMAC\_" are usable with + [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] + [MAC][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.MAC]. + + The suffix following "HMAC\_" corresponds to the hash algorithm being + used (eg. SHA256). + For more information, see [Key purposes and algorithms] (https://cloud.google.com/kms/docs/algorithms). """ @@ -388,6 +411,7 @@ class CryptoKeyVersionAlgorithm(proto.Enum): EC_SIGN_P256_SHA256 = 12 EC_SIGN_P384_SHA384 = 13 EC_SIGN_SECP256K1_SHA256 = 31 + HMAC_SHA256 = 32 EXTERNAL_SYMMETRIC_ENCRYPTION = 18 class CryptoKeyVersionState(proto.Enum): @@ -485,6 +509,11 @@ class PublicKey(proto.Message): public key. Provided here for verification. NOTE: This field is in Beta. + protection_level (google.cloud.kms_v1.types.ProtectionLevel): + The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + public key. """ pem = proto.Field(proto.STRING, number=1,) @@ -493,6 +522,7 @@ class PublicKey(proto.Message): ) pem_crc32c = proto.Field(proto.MESSAGE, number=3, message=wrappers_pb2.Int64Value,) name = proto.Field(proto.STRING, number=4,) + protection_level = proto.Field(proto.ENUM, number=5, enum="ProtectionLevel",) class ImportJob(proto.Message): diff --git a/google/cloud/kms_v1/types/service.py b/google/cloud/kms_v1/types/service.py index 89831372..96ab8e87 100644 --- a/google/cloud/kms_v1/types/service.py +++ b/google/cloud/kms_v1/types/service.py @@ -43,17 +43,23 @@ "CreateImportJobRequest", "UpdateCryptoKeyRequest", "UpdateCryptoKeyVersionRequest", + "UpdateCryptoKeyPrimaryVersionRequest", + "DestroyCryptoKeyVersionRequest", + "RestoreCryptoKeyVersionRequest", "EncryptRequest", "DecryptRequest", "AsymmetricSignRequest", "AsymmetricDecryptRequest", - "DecryptResponse", + "MacSignRequest", + "MacVerifyRequest", + "GenerateRandomBytesRequest", "EncryptResponse", + "DecryptResponse", "AsymmetricSignResponse", "AsymmetricDecryptResponse", - "UpdateCryptoKeyPrimaryVersionRequest", - "DestroyCryptoKeyVersionRequest", - "RestoreCryptoKeyVersionRequest", + "MacSignResponse", + "MacVerifyResponse", + "GenerateRandomBytesResponse", "Digest", "LocationMetadata", }, @@ -609,6 +615,52 @@ class UpdateCryptoKeyVersionRequest(proto.Message): ) +class UpdateCryptoKeyPrimaryVersionRequest(proto.Message): + r"""Request message for + [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. + + Attributes: + name (str): + Required. The resource name of the + [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. + crypto_key_version_id (str): + Required. The id of the child + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to + use as primary. + """ + + name = proto.Field(proto.STRING, number=1,) + crypto_key_version_id = proto.Field(proto.STRING, number=2,) + + +class DestroyCryptoKeyVersionRequest(proto.Message): + r"""Request message for + [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. + + Attributes: + name (str): + Required. The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to + destroy. + """ + + name = proto.Field(proto.STRING, number=1,) + + +class RestoreCryptoKeyVersionRequest(proto.Message): + r"""Request message for + [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. + + Attributes: + name (str): + Required. The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to + restore. + """ + + name = proto.Field(proto.STRING, number=1,) + + class EncryptRequest(proto.Message): r"""Request message for [KeyManagementService.Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt]. @@ -668,8 +720,6 @@ class EncryptRequest(proto.Message): However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. - - NOTE: This field is in Beta. additional_authenticated_data_crc32c (google.protobuf.wrappers_pb2.Int64Value): Optional. An optional CRC32C checksum of the [EncryptRequest.additional_authenticated_data][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data]. @@ -691,8 +741,6 @@ class EncryptRequest(proto.Message): However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. - - NOTE: This field is in Beta. """ name = proto.Field(proto.STRING, number=1,) @@ -743,8 +791,6 @@ class DecryptRequest(proto.Message): However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. - - NOTE: This field is in Beta. additional_authenticated_data_crc32c (google.protobuf.wrappers_pb2.Int64Value): Optional. An optional CRC32C checksum of the [DecryptRequest.additional_authenticated_data][google.cloud.kms.v1.DecryptRequest.additional_authenticated_data]. @@ -766,8 +812,6 @@ class DecryptRequest(proto.Message): However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. - - NOTE: This field is in Beta. """ name = proto.Field(proto.STRING, number=1,) @@ -816,8 +860,6 @@ class AsymmetricSignRequest(proto.Message): However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. - - NOTE: This field is in Beta. """ name = proto.Field(proto.STRING, number=1,) @@ -861,8 +903,6 @@ class AsymmetricDecryptRequest(proto.Message): However, it is a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. - - NOTE: This field is in Beta. """ name = proto.Field(proto.STRING, number=1,) @@ -872,43 +912,135 @@ class AsymmetricDecryptRequest(proto.Message): ) -class DecryptResponse(proto.Message): - r"""Response message for - [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. +class MacSignRequest(proto.Message): + r"""Request message for + [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. Attributes: - plaintext (bytes): - The decrypted data originally supplied in - [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. - plaintext_crc32c (google.protobuf.wrappers_pb2.Int64Value): - Integrity verification field. A CRC32C checksum of the - returned - [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]. - An integrity check of - [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] - can be performed by computing the CRC32C checksum of - [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] - and comparing your results to this field. Discard the - response in case of non-matching checksum values, and - perform a limited number of retries. A persistent mismatch - may indicate an issue in your computation of the CRC32C - checksum. Note: receiving this response message indicates - that + name (str): + Required. The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to + use for signing. + data (bytes): + Required. The data to sign. The MAC tag is + computed over this data field based on the + specific algorithm. + data_crc32c (google.protobuf.wrappers_pb2.Int64Value): + Optional. An optional CRC32C checksum of the + [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]. + If specified, [KeyManagementService][google.cloud.kms.v1.KeyManagementService] - is able to successfully decrypt the - [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. - Note: This field is defined as int64 for reasons of - compatibility across different languages. However, it is a - non-negative integer, which will never exceed 2^32-1, and - can be safely downconverted to uint32 in languages that - support this type. + will verify the integrity of the received + [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] + using this checksum. + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + will report an error if the checksum verification fails. If + you receive a checksum error, your client should verify that + CRC32C([MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data]) + is equal to + [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c], + and if so, perform a limited number of retries. A persistent + mismatch may indicate an issue in your computation of the + CRC32C checksum. Note: This field is defined as int64 for + reasons of compatibility across different languages. + However, it is a non-negative integer, which will never + exceed 2^32-1, and can be safely downconverted to uint32 in + languages that support this type. + """ + + name = proto.Field(proto.STRING, number=1,) + data = proto.Field(proto.BYTES, number=2,) + data_crc32c = proto.Field(proto.MESSAGE, number=3, message=wrappers_pb2.Int64Value,) + - NOTE: This field is in Beta. +class MacVerifyRequest(proto.Message): + r"""Request message for + [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify]. + + Attributes: + name (str): + Required. The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to + use for verification. + data (bytes): + Required. The data used previously as a + [MacSignRequest.data][google.cloud.kms.v1.MacSignRequest.data] + to generate the MAC tag. + data_crc32c (google.protobuf.wrappers_pb2.Int64Value): + Optional. An optional CRC32C checksum of the + [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]. + If specified, + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + will verify the integrity of the received + [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] + using this checksum. + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + will report an error if the checksum verification fails. If + you receive a checksum error, your client should verify that + CRC32C([MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data]) + is equal to + [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c], + and if so, perform a limited number of retries. A persistent + mismatch may indicate an issue in your computation of the + CRC32C checksum. Note: This field is defined as int64 for + reasons of compatibility across different languages. + However, it is a non-negative integer, which will never + exceed 2^32-1, and can be safely downconverted to uint32 in + languages that support this type. + mac (bytes): + Required. The signature to verify. + mac_crc32c (google.protobuf.wrappers_pb2.Int64Value): + Optional. An optional CRC32C checksum of the + [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac]. + If specified, + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + will verify the integrity of the received + [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] + using this checksum. + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + will report an error if the checksum verification fails. If + you receive a checksum error, your client should verify that + CRC32C([MacVerifyRequest.tag][]) is equal to + [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c], + and if so, perform a limited number of retries. A persistent + mismatch may indicate an issue in your computation of the + CRC32C checksum. Note: This field is defined as int64 for + reasons of compatibility across different languages. + However, it is a non-negative integer, which will never + exceed 2^32-1, and can be safely downconverted to uint32 in + languages that support this type. """ - plaintext = proto.Field(proto.BYTES, number=1,) - plaintext_crc32c = proto.Field( - proto.MESSAGE, number=2, message=wrappers_pb2.Int64Value, + name = proto.Field(proto.STRING, number=1,) + data = proto.Field(proto.BYTES, number=2,) + data_crc32c = proto.Field(proto.MESSAGE, number=3, message=wrappers_pb2.Int64Value,) + mac = proto.Field(proto.BYTES, number=4,) + mac_crc32c = proto.Field(proto.MESSAGE, number=5, message=wrappers_pb2.Int64Value,) + + +class GenerateRandomBytesRequest(proto.Message): + r"""Request message for + [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes]. + + Attributes: + location (str): + The project-specific location in which to + generate random bytes. For example, + "projects/my-project/locations/us-central1". + length_bytes (int): + The length in bytes of the amount of + randomness to retrieve. Minimum 8 bytes, + maximum 1024 bytes. + protection_level (google.cloud.kms_v1.types.ProtectionLevel): + The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + to use when generating the random data. Defaults to + [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE]. + """ + + location = proto.Field(proto.STRING, number=1,) + length_bytes = proto.Field(proto.INT32, number=2,) + protection_level = proto.Field( + proto.ENUM, number=3, enum=resources.ProtectionLevel, ) @@ -941,8 +1073,6 @@ class EncryptResponse(proto.Message): a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. - - NOTE: This field is in Beta. verified_plaintext_crc32c (bool): Integrity verification field. A flag indicating whether [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] @@ -958,8 +1088,6 @@ class EncryptResponse(proto.Message): [EncryptRequest.plaintext_crc32c][google.cloud.kms.v1.EncryptRequest.plaintext_crc32c] but this field is still false, discard the response and perform a limited number of retries. - - NOTE: This field is in Beta. verified_additional_authenticated_data_crc32c (bool): Integrity verification field. A flag indicating whether [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] @@ -975,8 +1103,11 @@ class EncryptResponse(proto.Message): [EncryptRequest.additional_authenticated_data_crc32c][google.cloud.kms.v1.EncryptRequest.additional_authenticated_data_crc32c] but this field is still false, discard the response and perform a limited number of retries. - - NOTE: This field is in Beta. + protection_level (google.cloud.kms_v1.types.ProtectionLevel): + The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + used in encryption. """ name = proto.Field(proto.STRING, number=1,) @@ -986,6 +1117,59 @@ class EncryptResponse(proto.Message): ) verified_plaintext_crc32c = proto.Field(proto.BOOL, number=5,) verified_additional_authenticated_data_crc32c = proto.Field(proto.BOOL, number=6,) + protection_level = proto.Field( + proto.ENUM, number=7, enum=resources.ProtectionLevel, + ) + + +class DecryptResponse(proto.Message): + r"""Response message for + [KeyManagementService.Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt]. + + Attributes: + plaintext (bytes): + The decrypted data originally supplied in + [EncryptRequest.plaintext][google.cloud.kms.v1.EncryptRequest.plaintext]. + plaintext_crc32c (google.protobuf.wrappers_pb2.Int64Value): + Integrity verification field. A CRC32C checksum of the + returned + [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext]. + An integrity check of + [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] + can be performed by computing the CRC32C checksum of + [DecryptResponse.plaintext][google.cloud.kms.v1.DecryptResponse.plaintext] + and comparing your results to this field. Discard the + response in case of non-matching checksum values, and + perform a limited number of retries. A persistent mismatch + may indicate an issue in your computation of the CRC32C + checksum. Note: receiving this response message indicates + that + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + is able to successfully decrypt the + [ciphertext][google.cloud.kms.v1.DecryptRequest.ciphertext]. + Note: This field is defined as int64 for reasons of + compatibility across different languages. However, it is a + non-negative integer, which will never exceed 2^32-1, and + can be safely downconverted to uint32 in languages that + support this type. + used_primary (bool): + Whether the Decryption was performed using + the primary key version. + protection_level (google.cloud.kms_v1.types.ProtectionLevel): + The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + used in decryption. + """ + + plaintext = proto.Field(proto.BYTES, number=1,) + plaintext_crc32c = proto.Field( + proto.MESSAGE, number=2, message=wrappers_pb2.Int64Value, + ) + used_primary = proto.Field(proto.BOOL, number=3,) + protection_level = proto.Field( + proto.ENUM, number=4, enum=resources.ProtectionLevel, + ) class AsymmetricSignResponse(proto.Message): @@ -1012,8 +1196,6 @@ class AsymmetricSignResponse(proto.Message): a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. - - NOTE: This field is in Beta. verified_digest_crc32c (bool): Integrity verification field. A flag indicating whether [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] @@ -1029,15 +1211,16 @@ class AsymmetricSignResponse(proto.Message): [AsymmetricSignRequest.digest_crc32c][google.cloud.kms.v1.AsymmetricSignRequest.digest_crc32c] but this field is still false, discard the response and perform a limited number of retries. - - NOTE: This field is in Beta. name (str): The resource name of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] used for signing. Check this field to verify that the intended resource was used for signing. - - NOTE: This field is in Beta. + protection_level (google.cloud.kms_v1.types.ProtectionLevel): + The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + used for signing. """ signature = proto.Field(proto.BYTES, number=1,) @@ -1046,6 +1229,9 @@ class AsymmetricSignResponse(proto.Message): ) verified_digest_crc32c = proto.Field(proto.BOOL, number=3,) name = proto.Field(proto.STRING, number=4,) + protection_level = proto.Field( + proto.ENUM, number=6, enum=resources.ProtectionLevel, + ) class AsymmetricDecryptResponse(proto.Message): @@ -1073,8 +1259,6 @@ class AsymmetricDecryptResponse(proto.Message): a non-negative integer, which will never exceed 2^32-1, and can be safely downconverted to uint32 in languages that support this type. - - NOTE: This field is in Beta. verified_ciphertext_crc32c (bool): Integrity verification field. A flag indicating whether [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] @@ -1090,8 +1274,11 @@ class AsymmetricDecryptResponse(proto.Message): [AsymmetricDecryptRequest.ciphertext_crc32c][google.cloud.kms.v1.AsymmetricDecryptRequest.ciphertext_crc32c] but this field is still false, discard the response and perform a limited number of retries. - - NOTE: This field is in Beta. + protection_level (google.cloud.kms_v1.types.ProtectionLevel): + The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + used in decryption. """ plaintext = proto.Field(proto.BYTES, number=1,) @@ -1099,52 +1286,169 @@ class AsymmetricDecryptResponse(proto.Message): proto.MESSAGE, number=2, message=wrappers_pb2.Int64Value, ) verified_ciphertext_crc32c = proto.Field(proto.BOOL, number=3,) + protection_level = proto.Field( + proto.ENUM, number=4, enum=resources.ProtectionLevel, + ) -class UpdateCryptoKeyPrimaryVersionRequest(proto.Message): - r"""Request message for - [KeyManagementService.UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]. +class MacSignResponse(proto.Message): + r"""Response message for + [KeyManagementService.MacSign][google.cloud.kms.v1.KeyManagementService.MacSign]. Attributes: name (str): - Required. The resource name of the - [CryptoKey][google.cloud.kms.v1.CryptoKey] to update. - crypto_key_version_id (str): - Required. The id of the child - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to - use as primary. + The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + used for signing. Check this field to verify that the + intended resource was used for signing. + mac (bytes): + The created signature. + mac_crc32c (google.protobuf.wrappers_pb2.Int64Value): + Integrity verification field. A CRC32C checksum of the + returned + [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac]. + An integrity check of + [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] + can be performed by computing the CRC32C checksum of + [MacSignResponse.mac][google.cloud.kms.v1.MacSignResponse.mac] + and comparing your results to this field. Discard the + response in case of non-matching checksum values, and + perform a limited number of retries. A persistent mismatch + may indicate an issue in your computation of the CRC32C + checksum. Note: This field is defined as int64 for reasons + of compatibility across different languages. However, it is + a non-negative integer, which will never exceed 2^32-1, and + can be safely downconverted to uint32 in languages that + support this type. + verified_data_crc32c (bool): + Integrity verification field. A flag indicating whether + [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c] + was received by + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + and used for the integrity verification of the + [data][google.cloud.kms.v1.MacSignRequest.data]. A false + value of this field indicates either that + [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c] + was left unset or that it was not delivered to + [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. + If you've set + [MacSignRequest.data_crc32c][google.cloud.kms.v1.MacSignRequest.data_crc32c] + but this field is still false, discard the response and + perform a limited number of retries. + protection_level (google.cloud.kms_v1.types.ProtectionLevel): + The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + used for signing. """ name = proto.Field(proto.STRING, number=1,) - crypto_key_version_id = proto.Field(proto.STRING, number=2,) + mac = proto.Field(proto.BYTES, number=2,) + mac_crc32c = proto.Field(proto.MESSAGE, number=3, message=wrappers_pb2.Int64Value,) + verified_data_crc32c = proto.Field(proto.BOOL, number=4,) + protection_level = proto.Field( + proto.ENUM, number=5, enum=resources.ProtectionLevel, + ) -class DestroyCryptoKeyVersionRequest(proto.Message): - r"""Request message for - [KeyManagementService.DestroyCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DestroyCryptoKeyVersion]. +class MacVerifyResponse(proto.Message): + r"""Response message for + [KeyManagementService.MacVerify][google.cloud.kms.v1.KeyManagementService.MacVerify]. Attributes: name (str): - Required. The resource name of the - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to - destroy. + The resource name of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + used for verification. Check this field to verify that the + intended resource was used for verification. + success (bool): + This field indicates whether or not the verification + operation for + [MacVerifyRequest.mac][google.cloud.kms.v1.MacVerifyRequest.mac] + over + [MacVerifyRequest.data][google.cloud.kms.v1.MacVerifyRequest.data] + was successful. + verified_data_crc32c (bool): + Integrity verification field. A flag indicating whether + [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c] + was received by + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + and used for the integrity verification of the + [data][google.cloud.kms.v1.MacVerifyRequest.data]. A false + value of this field indicates either that + [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c] + was left unset or that it was not delivered to + [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. + If you've set + [MacVerifyRequest.data_crc32c][google.cloud.kms.v1.MacVerifyRequest.data_crc32c] + but this field is still false, discard the response and + perform a limited number of retries. + verified_mac_crc32c (bool): + Integrity verification field. A flag indicating whether + [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c] + was received by + [KeyManagementService][google.cloud.kms.v1.KeyManagementService] + and used for the integrity verification of the + [data][google.cloud.kms.v1.MacVerifyRequest.mac]. A false + value of this field indicates either that + [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c] + was left unset or that it was not delivered to + [KeyManagementService][google.cloud.kms.v1.KeyManagementService]. + If you've set + [MacVerifyRequest.mac_crc32c][google.cloud.kms.v1.MacVerifyRequest.mac_crc32c] + but this field is still false, discard the response and + perform a limited number of retries. + verified_success_integrity (bool): + Integrity verification field. This value is used for the + integrity verification of [MacVerifyResponse.success]. If + the value of this field contradicts the value of + [MacVerifyResponse.success], discard the response and + perform a limited number of retries. + protection_level (google.cloud.kms_v1.types.ProtectionLevel): + The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] + of the + [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] + used for verification. """ name = proto.Field(proto.STRING, number=1,) + success = proto.Field(proto.BOOL, number=2,) + verified_data_crc32c = proto.Field(proto.BOOL, number=3,) + verified_mac_crc32c = proto.Field(proto.BOOL, number=4,) + verified_success_integrity = proto.Field(proto.BOOL, number=5,) + protection_level = proto.Field( + proto.ENUM, number=6, enum=resources.ProtectionLevel, + ) -class RestoreCryptoKeyVersionRequest(proto.Message): - r"""Request message for - [KeyManagementService.RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]. +class GenerateRandomBytesResponse(proto.Message): + r"""Response message for + [KeyManagementService.GenerateRandomBytes][google.cloud.kms.v1.KeyManagementService.GenerateRandomBytes]. Attributes: - name (str): - Required. The resource name of the - [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to - restore. + data (bytes): + The generated data. + data_crc32c (google.protobuf.wrappers_pb2.Int64Value): + Integrity verification field. A CRC32C checksum of the + returned + [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data]. + An integrity check of + [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data] + can be performed by computing the CRC32C checksum of + [GenerateRandomBytesResponse.data][google.cloud.kms.v1.GenerateRandomBytesResponse.data] + and comparing your results to this field. Discard the + response in case of non-matching checksum values, and + perform a limited number of retries. A persistent mismatch + may indicate an issue in your computation of the CRC32C + checksum. Note: This field is defined as int64 for reasons + of compatibility across different languages. However, it is + a non-negative integer, which will never exceed 2^32-1, and + can be safely downconverted to uint32 in languages that + support this type. """ - name = proto.Field(proto.STRING, number=1,) + data = proto.Field(proto.BYTES, number=1,) + data_crc32c = proto.Field(proto.MESSAGE, number=3, message=wrappers_pb2.Int64Value,) class Digest(proto.Message): diff --git a/owlbot.py b/owlbot.py index 955fcf8f..c2149a0e 100644 --- a/owlbot.py +++ b/owlbot.py @@ -27,7 +27,7 @@ for library in s.get_staging_dirs(default_version): # Escape single '_' which RST treats as target names - s.replace(library / "google/**/resources.py", '''"(.*?)_((SIGN)|(DECRYPT))_"''', '''"\g<1>_\g<2>\_"''') + s.replace(library / "google/**/resources.py", '''"(.*?)((SIGN)|(DECRYPT)|(HMAC))_"''', '''"\g<1>\g<2>\_"''') # Docstrings of *_iam_policy() methods are formatted poorly and must be fixed # in order to avoid docstring format warnings in docs. diff --git a/scripts/fixup_kms_v1_keywords.py b/scripts/fixup_kms_v1_keywords.py index d6c94a2c..167ffd5d 100644 --- a/scripts/fixup_kms_v1_keywords.py +++ b/scripts/fixup_kms_v1_keywords.py @@ -48,6 +48,7 @@ class kmsCallTransformer(cst.CSTTransformer): 'decrypt': ('name', 'ciphertext', 'additional_authenticated_data', 'ciphertext_crc32c', 'additional_authenticated_data_crc32c', ), 'destroy_crypto_key_version': ('name', ), 'encrypt': ('name', 'plaintext', 'additional_authenticated_data', 'plaintext_crc32c', 'additional_authenticated_data_crc32c', ), + 'generate_random_bytes': ('location', 'length_bytes', 'protection_level', ), 'get_crypto_key': ('name', ), 'get_crypto_key_version': ('name', ), 'get_import_job': ('name', ), @@ -58,6 +59,8 @@ class kmsCallTransformer(cst.CSTTransformer): 'list_crypto_key_versions': ('parent', 'page_size', 'page_token', 'view', 'filter', 'order_by', ), 'list_import_jobs': ('parent', 'page_size', 'page_token', 'filter', 'order_by', ), 'list_key_rings': ('parent', 'page_size', 'page_token', 'filter', 'order_by', ), + 'mac_sign': ('name', 'data', 'data_crc32c', ), + 'mac_verify': ('name', 'data', 'mac', 'data_crc32c', 'mac_crc32c', ), 'restore_crypto_key_version': ('name', ), 'update_crypto_key': ('crypto_key', 'update_mask', ), 'update_crypto_key_primary_version': ('name', 'crypto_key_version_id', ), diff --git a/tests/unit/gapic/kms_v1/test_key_management_service.py b/tests/unit/gapic/kms_v1/test_key_management_service.py index 504e1f1f..ca9b896d 100644 --- a/tests/unit/gapic/kms_v1/test_key_management_service.py +++ b/tests/unit/gapic/kms_v1/test_key_management_service.py @@ -2234,6 +2234,7 @@ def test_get_crypto_key( call.return_value = resources.CryptoKey( name="name_value", purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, + import_only=True, rotation_period=duration_pb2.Duration(seconds=751), ) response = client.get_crypto_key(request) @@ -2247,6 +2248,7 @@ def test_get_crypto_key( assert isinstance(response, resources.CryptoKey) assert response.name == "name_value" assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.import_only is True def test_get_crypto_key_from_dict(): @@ -2287,6 +2289,7 @@ async def test_get_crypto_key_async( resources.CryptoKey( name="name_value", purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, + import_only=True, ) ) response = await client.get_crypto_key(request) @@ -2300,6 +2303,7 @@ async def test_get_crypto_key_async( assert isinstance(response, resources.CryptoKey) assert response.name == "name_value" assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.import_only is True @pytest.mark.asyncio @@ -2706,6 +2710,7 @@ def test_get_public_key( pem="pem_value", algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, name="name_value", + protection_level=resources.ProtectionLevel.SOFTWARE, ) response = client.get_public_key(request) @@ -2722,6 +2727,7 @@ def test_get_public_key( == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION ) assert response.name == "name_value" + assert response.protection_level == resources.ProtectionLevel.SOFTWARE def test_get_public_key_from_dict(): @@ -2763,6 +2769,7 @@ async def test_get_public_key_async( pem="pem_value", algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, name="name_value", + protection_level=resources.ProtectionLevel.SOFTWARE, ) ) response = await client.get_public_key(request) @@ -2780,6 +2787,7 @@ async def test_get_public_key_async( == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION ) assert response.name == "name_value" + assert response.protection_level == resources.ProtectionLevel.SOFTWARE @pytest.mark.asyncio @@ -3377,6 +3385,7 @@ def test_create_crypto_key( call.return_value = resources.CryptoKey( name="name_value", purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, + import_only=True, rotation_period=duration_pb2.Duration(seconds=751), ) response = client.create_crypto_key(request) @@ -3390,6 +3399,7 @@ def test_create_crypto_key( assert isinstance(response, resources.CryptoKey) assert response.name == "name_value" assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.import_only is True def test_create_crypto_key_from_dict(): @@ -3434,6 +3444,7 @@ async def test_create_crypto_key_async( resources.CryptoKey( name="name_value", purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, + import_only=True, ) ) response = await client.create_crypto_key(request) @@ -3447,6 +3458,7 @@ async def test_create_crypto_key_async( assert isinstance(response, resources.CryptoKey) assert response.name == "name_value" assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.import_only is True @pytest.mark.asyncio @@ -4336,6 +4348,7 @@ def test_update_crypto_key( call.return_value = resources.CryptoKey( name="name_value", purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, + import_only=True, rotation_period=duration_pb2.Duration(seconds=751), ) response = client.update_crypto_key(request) @@ -4349,6 +4362,7 @@ def test_update_crypto_key( assert isinstance(response, resources.CryptoKey) assert response.name == "name_value" assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.import_only is True def test_update_crypto_key_from_dict(): @@ -4393,6 +4407,7 @@ async def test_update_crypto_key_async( resources.CryptoKey( name="name_value", purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, + import_only=True, ) ) response = await client.update_crypto_key(request) @@ -4406,6 +4421,7 @@ async def test_update_crypto_key_async( assert isinstance(response, resources.CryptoKey) assert response.name == "name_value" assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.import_only is True @pytest.mark.asyncio @@ -4840,7 +4856,9 @@ async def test_update_crypto_key_version_flattened_error_async(): ) -def test_encrypt(transport: str = "grpc", request_type=service.EncryptRequest): +def test_update_crypto_key_primary_version( + transport: str = "grpc", request_type=service.UpdateCryptoKeyPrimaryVersionRequest +): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, ) @@ -4850,34 +4868,35 @@ def test_encrypt(transport: str = "grpc", request_type=service.EncryptRequest): request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + with mock.patch.object( + type(client.transport.update_crypto_key_primary_version), "__call__" + ) as call: # Designate an appropriate return value for the call. - call.return_value = service.EncryptResponse( + call.return_value = resources.CryptoKey( name="name_value", - ciphertext=b"ciphertext_blob", - verified_plaintext_crc32c=True, - verified_additional_authenticated_data_crc32c=True, + purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, + import_only=True, + rotation_period=duration_pb2.Duration(seconds=751), ) - response = client.encrypt(request) + response = client.update_crypto_key_primary_version(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0] == service.EncryptRequest() + assert args[0] == service.UpdateCryptoKeyPrimaryVersionRequest() # Establish that the response is the type that we expect. - assert isinstance(response, service.EncryptResponse) + assert isinstance(response, resources.CryptoKey) assert response.name == "name_value" - assert response.ciphertext == b"ciphertext_blob" - assert response.verified_plaintext_crc32c is True - assert response.verified_additional_authenticated_data_crc32c is True + assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.import_only is True -def test_encrypt_from_dict(): - test_encrypt(request_type=dict) +def test_update_crypto_key_primary_version_from_dict(): + test_update_crypto_key_primary_version(request_type=dict) -def test_encrypt_empty_call(): +def test_update_crypto_key_primary_version_empty_call(): # This test is a coverage failsafe to make sure that totally empty calls, # i.e. request == None and no flattened fields passed, work. client = KeyManagementServiceClient( @@ -4885,16 +4904,19 @@ def test_encrypt_empty_call(): ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.encrypt), "__call__") as call: - client.encrypt() + with mock.patch.object( + type(client.transport.update_crypto_key_primary_version), "__call__" + ) as call: + client.update_crypto_key_primary_version() call.assert_called() _, args, _ = call.mock_calls[0] - assert args[0] == service.EncryptRequest() + assert args[0] == service.UpdateCryptoKeyPrimaryVersionRequest() @pytest.mark.asyncio -async def test_encrypt_async( - transport: str = "grpc_asyncio", request_type=service.EncryptRequest +async def test_update_crypto_key_primary_version_async( + transport: str = "grpc_asyncio", + request_type=service.UpdateCryptoKeyPrimaryVersionRequest, ): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, @@ -4905,51 +4927,53 @@ async def test_encrypt_async( request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + with mock.patch.object( + type(client.transport.update_crypto_key_primary_version), "__call__" + ) as call: # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - service.EncryptResponse( + resources.CryptoKey( name="name_value", - ciphertext=b"ciphertext_blob", - verified_plaintext_crc32c=True, - verified_additional_authenticated_data_crc32c=True, + purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, + import_only=True, ) ) - response = await client.encrypt(request) + response = await client.update_crypto_key_primary_version(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0] == service.EncryptRequest() + assert args[0] == service.UpdateCryptoKeyPrimaryVersionRequest() # Establish that the response is the type that we expect. - assert isinstance(response, service.EncryptResponse) + assert isinstance(response, resources.CryptoKey) assert response.name == "name_value" - assert response.ciphertext == b"ciphertext_blob" - assert response.verified_plaintext_crc32c is True - assert response.verified_additional_authenticated_data_crc32c is True + assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.import_only is True @pytest.mark.asyncio -async def test_encrypt_async_from_dict(): - await test_encrypt_async(request_type=dict) +async def test_update_crypto_key_primary_version_async_from_dict(): + await test_update_crypto_key_primary_version_async(request_type=dict) -def test_encrypt_field_headers(): +def test_update_crypto_key_primary_version_field_headers(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.EncryptRequest() + request = service.UpdateCryptoKeyPrimaryVersionRequest() request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.encrypt), "__call__") as call: - call.return_value = service.EncryptResponse() - client.encrypt(request) + with mock.patch.object( + type(client.transport.update_crypto_key_primary_version), "__call__" + ) as call: + call.return_value = resources.CryptoKey() + client.update_crypto_key_primary_version(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 @@ -4962,23 +4986,23 @@ def test_encrypt_field_headers(): @pytest.mark.asyncio -async def test_encrypt_field_headers_async(): +async def test_update_crypto_key_primary_version_field_headers_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.EncryptRequest() + request = service.UpdateCryptoKeyPrimaryVersionRequest() request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.encrypt), "__call__") as call: - call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - service.EncryptResponse() - ) - await client.encrypt(request) + with mock.patch.object( + type(client.transport.update_crypto_key_primary_version), "__call__" + ) as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey()) + await client.update_crypto_key_primary_version(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) @@ -4990,19 +5014,21 @@ async def test_encrypt_field_headers_async(): assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] -def test_encrypt_flattened(): +def test_update_crypto_key_primary_version_flattened(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + with mock.patch.object( + type(client.transport.update_crypto_key_primary_version), "__call__" + ) as call: # Designate an appropriate return value for the call. - call.return_value = service.EncryptResponse() + call.return_value = resources.CryptoKey() # Call the method with a truthy value for each flattened field, # using the keyword arguments to the method. - client.encrypt( - name="name_value", plaintext=b"plaintext_blob", + client.update_crypto_key_primary_version( + name="name_value", crypto_key_version_id="crypto_key_version_id_value", ) # Establish that the underlying call was made with the expected @@ -5010,10 +5036,10 @@ def test_encrypt_flattened(): assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] assert args[0].name == "name_value" - assert args[0].plaintext == b"plaintext_blob" + assert args[0].crypto_key_version_id == "crypto_key_version_id_value" -def test_encrypt_flattened_error(): +def test_update_crypto_key_primary_version_flattened_error(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) @@ -5021,39 +5047,43 @@ def test_encrypt_flattened_error(): # Attempting to call a method with both a request object and flattened # fields is an error. with pytest.raises(ValueError): - client.encrypt( - service.EncryptRequest(), name="name_value", plaintext=b"plaintext_blob", + client.update_crypto_key_primary_version( + service.UpdateCryptoKeyPrimaryVersionRequest(), + name="name_value", + crypto_key_version_id="crypto_key_version_id_value", ) @pytest.mark.asyncio -async def test_encrypt_flattened_async(): +async def test_update_crypto_key_primary_version_flattened_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + with mock.patch.object( + type(client.transport.update_crypto_key_primary_version), "__call__" + ) as call: # Designate an appropriate return value for the call. - call.return_value = service.EncryptResponse() + call.return_value = resources.CryptoKey() - call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - service.EncryptResponse() - ) + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey()) # Call the method with a truthy value for each flattened field, # using the keyword arguments to the method. - response = await client.encrypt(name="name_value", plaintext=b"plaintext_blob",) + response = await client.update_crypto_key_primary_version( + name="name_value", crypto_key_version_id="crypto_key_version_id_value", + ) # Establish that the underlying call was made with the expected # request object values. assert len(call.mock_calls) _, args, _ = call.mock_calls[0] assert args[0].name == "name_value" - assert args[0].plaintext == b"plaintext_blob" + assert args[0].crypto_key_version_id == "crypto_key_version_id_value" @pytest.mark.asyncio -async def test_encrypt_flattened_error_async(): +async def test_update_crypto_key_primary_version_flattened_error_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) @@ -5061,12 +5091,16 @@ async def test_encrypt_flattened_error_async(): # Attempting to call a method with both a request object and flattened # fields is an error. with pytest.raises(ValueError): - await client.encrypt( - service.EncryptRequest(), name="name_value", plaintext=b"plaintext_blob", + await client.update_crypto_key_primary_version( + service.UpdateCryptoKeyPrimaryVersionRequest(), + name="name_value", + crypto_key_version_id="crypto_key_version_id_value", ) -def test_decrypt(transport: str = "grpc", request_type=service.DecryptRequest): +def test_destroy_crypto_key_version( + transport: str = "grpc", request_type=service.DestroyCryptoKeyVersionRequest +): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, ) @@ -5076,26 +5110,46 @@ def test_decrypt(transport: str = "grpc", request_type=service.DecryptRequest): request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.decrypt), "__call__") as call: + with mock.patch.object( + type(client.transport.destroy_crypto_key_version), "__call__" + ) as call: # Designate an appropriate return value for the call. - call.return_value = service.DecryptResponse(plaintext=b"plaintext_blob",) - response = client.decrypt(request) + call.return_value = resources.CryptoKeyVersion( + name="name_value", + state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION, + protection_level=resources.ProtectionLevel.SOFTWARE, + algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, + import_job="import_job_value", + import_failure_reason="import_failure_reason_value", + ) + response = client.destroy_crypto_key_version(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0] == service.DecryptRequest() + assert args[0] == service.DestroyCryptoKeyVersionRequest() # Establish that the response is the type that we expect. - assert isinstance(response, service.DecryptResponse) - assert response.plaintext == b"plaintext_blob" + assert isinstance(response, resources.CryptoKeyVersion) + assert response.name == "name_value" + assert ( + response.state + == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION + ) + assert response.protection_level == resources.ProtectionLevel.SOFTWARE + assert ( + response.algorithm + == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION + ) + assert response.import_job == "import_job_value" + assert response.import_failure_reason == "import_failure_reason_value" -def test_decrypt_from_dict(): - test_decrypt(request_type=dict) +def test_destroy_crypto_key_version_from_dict(): + test_destroy_crypto_key_version(request_type=dict) -def test_decrypt_empty_call(): +def test_destroy_crypto_key_version_empty_call(): # This test is a coverage failsafe to make sure that totally empty calls, # i.e. request == None and no flattened fields passed, work. client = KeyManagementServiceClient( @@ -5103,16 +5157,18 @@ def test_decrypt_empty_call(): ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.decrypt), "__call__") as call: - client.decrypt() + with mock.patch.object( + type(client.transport.destroy_crypto_key_version), "__call__" + ) as call: + client.destroy_crypto_key_version() call.assert_called() _, args, _ = call.mock_calls[0] - assert args[0] == service.DecryptRequest() + assert args[0] == service.DestroyCryptoKeyVersionRequest() @pytest.mark.asyncio -async def test_decrypt_async( - transport: str = "grpc_asyncio", request_type=service.DecryptRequest +async def test_destroy_crypto_key_version_async( + transport: str = "grpc_asyncio", request_type=service.DestroyCryptoKeyVersionRequest ): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, @@ -5123,43 +5179,65 @@ async def test_decrypt_async( request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.decrypt), "__call__") as call: + with mock.patch.object( + type(client.transport.destroy_crypto_key_version), "__call__" + ) as call: # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - service.DecryptResponse(plaintext=b"plaintext_blob",) + resources.CryptoKeyVersion( + name="name_value", + state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION, + protection_level=resources.ProtectionLevel.SOFTWARE, + algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, + import_job="import_job_value", + import_failure_reason="import_failure_reason_value", + ) ) - response = await client.decrypt(request) + response = await client.destroy_crypto_key_version(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0] == service.DecryptRequest() + assert args[0] == service.DestroyCryptoKeyVersionRequest() # Establish that the response is the type that we expect. - assert isinstance(response, service.DecryptResponse) - assert response.plaintext == b"plaintext_blob" + assert isinstance(response, resources.CryptoKeyVersion) + assert response.name == "name_value" + assert ( + response.state + == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION + ) + assert response.protection_level == resources.ProtectionLevel.SOFTWARE + assert ( + response.algorithm + == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION + ) + assert response.import_job == "import_job_value" + assert response.import_failure_reason == "import_failure_reason_value" @pytest.mark.asyncio -async def test_decrypt_async_from_dict(): - await test_decrypt_async(request_type=dict) +async def test_destroy_crypto_key_version_async_from_dict(): + await test_destroy_crypto_key_version_async(request_type=dict) -def test_decrypt_field_headers(): +def test_destroy_crypto_key_version_field_headers(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.DecryptRequest() + request = service.DestroyCryptoKeyVersionRequest() request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.decrypt), "__call__") as call: - call.return_value = service.DecryptResponse() - client.decrypt(request) + with mock.patch.object( + type(client.transport.destroy_crypto_key_version), "__call__" + ) as call: + call.return_value = resources.CryptoKeyVersion() + client.destroy_crypto_key_version(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 @@ -5172,21 +5250,733 @@ def test_decrypt_field_headers(): @pytest.mark.asyncio -async def test_decrypt_field_headers_async(): +async def test_destroy_crypto_key_version_field_headers_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.DecryptRequest() + request = service.DestroyCryptoKeyVersionRequest() request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object(type(client.transport.decrypt), "__call__") as call: + with mock.patch.object( + type(client.transport.destroy_crypto_key_version), "__call__" + ) as call: call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - service.DecryptResponse() + resources.CryptoKeyVersion() + ) + await client.destroy_crypto_key_version(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +def test_destroy_crypto_key_version_flattened(): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.destroy_crypto_key_version), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = resources.CryptoKeyVersion() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.destroy_crypto_key_version(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +def test_destroy_crypto_key_version_flattened_error(): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.destroy_crypto_key_version( + service.DestroyCryptoKeyVersionRequest(), name="name_value", + ) + + +@pytest.mark.asyncio +async def test_destroy_crypto_key_version_flattened_async(): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.destroy_crypto_key_version), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = resources.CryptoKeyVersion() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.CryptoKeyVersion() + ) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.destroy_crypto_key_version(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +@pytest.mark.asyncio +async def test_destroy_crypto_key_version_flattened_error_async(): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.destroy_crypto_key_version( + service.DestroyCryptoKeyVersionRequest(), name="name_value", + ) + + +def test_restore_crypto_key_version( + transport: str = "grpc", request_type=service.RestoreCryptoKeyVersionRequest +): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.restore_crypto_key_version), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = resources.CryptoKeyVersion( + name="name_value", + state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION, + protection_level=resources.ProtectionLevel.SOFTWARE, + algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, + import_job="import_job_value", + import_failure_reason="import_failure_reason_value", + ) + response = client.restore_crypto_key_version(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.RestoreCryptoKeyVersionRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.CryptoKeyVersion) + assert response.name == "name_value" + assert ( + response.state + == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION + ) + assert response.protection_level == resources.ProtectionLevel.SOFTWARE + assert ( + response.algorithm + == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION + ) + assert response.import_job == "import_job_value" + assert response.import_failure_reason == "import_failure_reason_value" + + +def test_restore_crypto_key_version_from_dict(): + test_restore_crypto_key_version(request_type=dict) + + +def test_restore_crypto_key_version_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.restore_crypto_key_version), "__call__" + ) as call: + client.restore_crypto_key_version() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.RestoreCryptoKeyVersionRequest() + + +@pytest.mark.asyncio +async def test_restore_crypto_key_version_async( + transport: str = "grpc_asyncio", request_type=service.RestoreCryptoKeyVersionRequest +): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.restore_crypto_key_version), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.CryptoKeyVersion( + name="name_value", + state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION, + protection_level=resources.ProtectionLevel.SOFTWARE, + algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, + import_job="import_job_value", + import_failure_reason="import_failure_reason_value", + ) + ) + response = await client.restore_crypto_key_version(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.RestoreCryptoKeyVersionRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, resources.CryptoKeyVersion) + assert response.name == "name_value" + assert ( + response.state + == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION + ) + assert response.protection_level == resources.ProtectionLevel.SOFTWARE + assert ( + response.algorithm + == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION + ) + assert response.import_job == "import_job_value" + assert response.import_failure_reason == "import_failure_reason_value" + + +@pytest.mark.asyncio +async def test_restore_crypto_key_version_async_from_dict(): + await test_restore_crypto_key_version_async(request_type=dict) + + +def test_restore_crypto_key_version_field_headers(): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.RestoreCryptoKeyVersionRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.restore_crypto_key_version), "__call__" + ) as call: + call.return_value = resources.CryptoKeyVersion() + client.restore_crypto_key_version(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_restore_crypto_key_version_field_headers_async(): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.RestoreCryptoKeyVersionRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.restore_crypto_key_version), "__call__" + ) as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.CryptoKeyVersion() + ) + await client.restore_crypto_key_version(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +def test_restore_crypto_key_version_flattened(): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.restore_crypto_key_version), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = resources.CryptoKeyVersion() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.restore_crypto_key_version(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +def test_restore_crypto_key_version_flattened_error(): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.restore_crypto_key_version( + service.RestoreCryptoKeyVersionRequest(), name="name_value", + ) + + +@pytest.mark.asyncio +async def test_restore_crypto_key_version_flattened_async(): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object( + type(client.transport.restore_crypto_key_version), "__call__" + ) as call: + # Designate an appropriate return value for the call. + call.return_value = resources.CryptoKeyVersion() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + resources.CryptoKeyVersion() + ) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.restore_crypto_key_version(name="name_value",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + + +@pytest.mark.asyncio +async def test_restore_crypto_key_version_flattened_error_async(): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.restore_crypto_key_version( + service.RestoreCryptoKeyVersionRequest(), name="name_value", + ) + + +def test_encrypt(transport: str = "grpc", request_type=service.EncryptRequest): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = service.EncryptResponse( + name="name_value", + ciphertext=b"ciphertext_blob", + verified_plaintext_crc32c=True, + verified_additional_authenticated_data_crc32c=True, + protection_level=resources.ProtectionLevel.SOFTWARE, + ) + response = client.encrypt(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.EncryptRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, service.EncryptResponse) + assert response.name == "name_value" + assert response.ciphertext == b"ciphertext_blob" + assert response.verified_plaintext_crc32c is True + assert response.verified_additional_authenticated_data_crc32c is True + assert response.protection_level == resources.ProtectionLevel.SOFTWARE + + +def test_encrypt_from_dict(): + test_encrypt(request_type=dict) + + +def test_encrypt_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + client.encrypt() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.EncryptRequest() + + +@pytest.mark.asyncio +async def test_encrypt_async( + transport: str = "grpc_asyncio", request_type=service.EncryptRequest +): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.EncryptResponse( + name="name_value", + ciphertext=b"ciphertext_blob", + verified_plaintext_crc32c=True, + verified_additional_authenticated_data_crc32c=True, + protection_level=resources.ProtectionLevel.SOFTWARE, + ) + ) + response = await client.encrypt(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.EncryptRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, service.EncryptResponse) + assert response.name == "name_value" + assert response.ciphertext == b"ciphertext_blob" + assert response.verified_plaintext_crc32c is True + assert response.verified_additional_authenticated_data_crc32c is True + assert response.protection_level == resources.ProtectionLevel.SOFTWARE + + +@pytest.mark.asyncio +async def test_encrypt_async_from_dict(): + await test_encrypt_async(request_type=dict) + + +def test_encrypt_field_headers(): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.EncryptRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + call.return_value = service.EncryptResponse() + client.encrypt(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_encrypt_field_headers_async(): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.EncryptRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.EncryptResponse() + ) + await client.encrypt(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +def test_encrypt_flattened(): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = service.EncryptResponse() + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + client.encrypt( + name="name_value", plaintext=b"plaintext_blob", + ) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + assert args[0].plaintext == b"plaintext_blob" + + +def test_encrypt_flattened_error(): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + client.encrypt( + service.EncryptRequest(), name="name_value", plaintext=b"plaintext_blob", + ) + + +@pytest.mark.asyncio +async def test_encrypt_flattened_async(): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.encrypt), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = service.EncryptResponse() + + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.EncryptResponse() + ) + # Call the method with a truthy value for each flattened field, + # using the keyword arguments to the method. + response = await client.encrypt(name="name_value", plaintext=b"plaintext_blob",) + + # Establish that the underlying call was made with the expected + # request object values. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0].name == "name_value" + assert args[0].plaintext == b"plaintext_blob" + + +@pytest.mark.asyncio +async def test_encrypt_flattened_error_async(): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Attempting to call a method with both a request object and flattened + # fields is an error. + with pytest.raises(ValueError): + await client.encrypt( + service.EncryptRequest(), name="name_value", plaintext=b"plaintext_blob", + ) + + +def test_decrypt(transport: str = "grpc", request_type=service.DecryptRequest): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.decrypt), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = service.DecryptResponse( + plaintext=b"plaintext_blob", + used_primary=True, + protection_level=resources.ProtectionLevel.SOFTWARE, + ) + response = client.decrypt(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == service.DecryptRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, service.DecryptResponse) + assert response.plaintext == b"plaintext_blob" + assert response.used_primary is True + assert response.protection_level == resources.ProtectionLevel.SOFTWARE + + +def test_decrypt_from_dict(): + test_decrypt(request_type=dict) + + +def test_decrypt_empty_call(): + # This test is a coverage failsafe to make sure that totally empty calls, + # i.e. request == None and no flattened fields passed, work. + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), transport="grpc", + ) + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.decrypt), "__call__") as call: + client.decrypt() + call.assert_called() + _, args, _ = call.mock_calls[0] + assert args[0] == service.DecryptRequest() + + +@pytest.mark.asyncio +async def test_decrypt_async( + transport: str = "grpc_asyncio", request_type=service.DecryptRequest +): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), transport=transport, + ) + + # Everything is optional in proto3 as far as the runtime is concerned, + # and we are mocking out the actual API, so just send an empty request. + request = request_type() + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.decrypt), "__call__") as call: + # Designate an appropriate return value for the call. + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.DecryptResponse( + plaintext=b"plaintext_blob", + used_primary=True, + protection_level=resources.ProtectionLevel.SOFTWARE, + ) + ) + response = await client.decrypt(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) + _, args, _ = call.mock_calls[0] + assert args[0] == service.DecryptRequest() + + # Establish that the response is the type that we expect. + assert isinstance(response, service.DecryptResponse) + assert response.plaintext == b"plaintext_blob" + assert response.used_primary is True + assert response.protection_level == resources.ProtectionLevel.SOFTWARE + + +@pytest.mark.asyncio +async def test_decrypt_async_from_dict(): + await test_decrypt_async(request_type=dict) + + +def test_decrypt_field_headers(): + client = KeyManagementServiceClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.DecryptRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.decrypt), "__call__") as call: + call.return_value = service.DecryptResponse() + client.decrypt(request) + + # Establish that the underlying gRPC stub method was called. + assert len(call.mock_calls) == 1 + _, args, _ = call.mock_calls[0] + assert args[0] == request + + # Establish that the field header was sent. + _, _, kw = call.mock_calls[0] + assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + + +@pytest.mark.asyncio +async def test_decrypt_field_headers_async(): + client = KeyManagementServiceAsyncClient( + credentials=ga_credentials.AnonymousCredentials(), + ) + + # Any value that is part of the HTTP/1.1 URI should be sent as + # a field header. Set these to a non-empty value. + request = service.DecryptRequest() + + request.name = "name/value" + + # Mock the actual call within the gRPC stub, and fake the request. + with mock.patch.object(type(client.transport.decrypt), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.DecryptResponse() ) await client.decrypt(request) @@ -5293,7 +6083,10 @@ def test_asymmetric_sign( with mock.patch.object(type(client.transport.asymmetric_sign), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = service.AsymmetricSignResponse( - signature=b"signature_blob", verified_digest_crc32c=True, name="name_value", + signature=b"signature_blob", + verified_digest_crc32c=True, + name="name_value", + protection_level=resources.ProtectionLevel.SOFTWARE, ) response = client.asymmetric_sign(request) @@ -5307,6 +6100,7 @@ def test_asymmetric_sign( assert response.signature == b"signature_blob" assert response.verified_digest_crc32c is True assert response.name == "name_value" + assert response.protection_level == resources.ProtectionLevel.SOFTWARE def test_asymmetric_sign_from_dict(): @@ -5348,6 +6142,7 @@ async def test_asymmetric_sign_async( signature=b"signature_blob", verified_digest_crc32c=True, name="name_value", + protection_level=resources.ProtectionLevel.SOFTWARE, ) ) response = await client.asymmetric_sign(request) @@ -5362,6 +6157,7 @@ async def test_asymmetric_sign_async( assert response.signature == b"signature_blob" assert response.verified_digest_crc32c is True assert response.name == "name_value" + assert response.protection_level == resources.ProtectionLevel.SOFTWARE @pytest.mark.asyncio @@ -5523,7 +6319,9 @@ def test_asymmetric_decrypt( ) as call: # Designate an appropriate return value for the call. call.return_value = service.AsymmetricDecryptResponse( - plaintext=b"plaintext_blob", verified_ciphertext_crc32c=True, + plaintext=b"plaintext_blob", + verified_ciphertext_crc32c=True, + protection_level=resources.ProtectionLevel.SOFTWARE, ) response = client.asymmetric_decrypt(request) @@ -5536,6 +6334,7 @@ def test_asymmetric_decrypt( assert isinstance(response, service.AsymmetricDecryptResponse) assert response.plaintext == b"plaintext_blob" assert response.verified_ciphertext_crc32c is True + assert response.protection_level == resources.ProtectionLevel.SOFTWARE def test_asymmetric_decrypt_from_dict(): @@ -5578,7 +6377,9 @@ async def test_asymmetric_decrypt_async( # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( service.AsymmetricDecryptResponse( - plaintext=b"plaintext_blob", verified_ciphertext_crc32c=True, + plaintext=b"plaintext_blob", + verified_ciphertext_crc32c=True, + protection_level=resources.ProtectionLevel.SOFTWARE, ) ) response = await client.asymmetric_decrypt(request) @@ -5592,6 +6393,7 @@ async def test_asymmetric_decrypt_async( assert isinstance(response, service.AsymmetricDecryptResponse) assert response.plaintext == b"plaintext_blob" assert response.verified_ciphertext_crc32c is True + assert response.protection_level == resources.ProtectionLevel.SOFTWARE @pytest.mark.asyncio @@ -5744,9 +6546,7 @@ async def test_asymmetric_decrypt_flattened_error_async(): ) -def test_update_crypto_key_primary_version( - transport: str = "grpc", request_type=service.UpdateCryptoKeyPrimaryVersionRequest -): +def test_mac_sign(transport: str = "grpc", request_type=service.MacSignRequest): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, ) @@ -5756,33 +6556,34 @@ def test_update_crypto_key_primary_version( request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.update_crypto_key_primary_version), "__call__" - ) as call: + with mock.patch.object(type(client.transport.mac_sign), "__call__") as call: # Designate an appropriate return value for the call. - call.return_value = resources.CryptoKey( + call.return_value = service.MacSignResponse( name="name_value", - purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, - rotation_period=duration_pb2.Duration(seconds=751), + mac=b"mac_blob", + verified_data_crc32c=True, + protection_level=resources.ProtectionLevel.SOFTWARE, ) - response = client.update_crypto_key_primary_version(request) + response = client.mac_sign(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0] == service.UpdateCryptoKeyPrimaryVersionRequest() + assert args[0] == service.MacSignRequest() # Establish that the response is the type that we expect. - assert isinstance(response, resources.CryptoKey) + assert isinstance(response, service.MacSignResponse) assert response.name == "name_value" - assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.mac == b"mac_blob" + assert response.verified_data_crc32c is True + assert response.protection_level == resources.ProtectionLevel.SOFTWARE -def test_update_crypto_key_primary_version_from_dict(): - test_update_crypto_key_primary_version(request_type=dict) +def test_mac_sign_from_dict(): + test_mac_sign(request_type=dict) -def test_update_crypto_key_primary_version_empty_call(): +def test_mac_sign_empty_call(): # This test is a coverage failsafe to make sure that totally empty calls, # i.e. request == None and no flattened fields passed, work. client = KeyManagementServiceClient( @@ -5790,19 +6591,16 @@ def test_update_crypto_key_primary_version_empty_call(): ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.update_crypto_key_primary_version), "__call__" - ) as call: - client.update_crypto_key_primary_version() + with mock.patch.object(type(client.transport.mac_sign), "__call__") as call: + client.mac_sign() call.assert_called() _, args, _ = call.mock_calls[0] - assert args[0] == service.UpdateCryptoKeyPrimaryVersionRequest() + assert args[0] == service.MacSignRequest() @pytest.mark.asyncio -async def test_update_crypto_key_primary_version_async( - transport: str = "grpc_asyncio", - request_type=service.UpdateCryptoKeyPrimaryVersionRequest, +async def test_mac_sign_async( + transport: str = "grpc_asyncio", request_type=service.MacSignRequest ): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, @@ -5813,51 +6611,51 @@ async def test_update_crypto_key_primary_version_async( request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.update_crypto_key_primary_version), "__call__" - ) as call: + with mock.patch.object(type(client.transport.mac_sign), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - resources.CryptoKey( + service.MacSignResponse( name="name_value", - purpose=resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT, + mac=b"mac_blob", + verified_data_crc32c=True, + protection_level=resources.ProtectionLevel.SOFTWARE, ) ) - response = await client.update_crypto_key_primary_version(request) + response = await client.mac_sign(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0] == service.UpdateCryptoKeyPrimaryVersionRequest() + assert args[0] == service.MacSignRequest() # Establish that the response is the type that we expect. - assert isinstance(response, resources.CryptoKey) + assert isinstance(response, service.MacSignResponse) assert response.name == "name_value" - assert response.purpose == resources.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT + assert response.mac == b"mac_blob" + assert response.verified_data_crc32c is True + assert response.protection_level == resources.ProtectionLevel.SOFTWARE @pytest.mark.asyncio -async def test_update_crypto_key_primary_version_async_from_dict(): - await test_update_crypto_key_primary_version_async(request_type=dict) +async def test_mac_sign_async_from_dict(): + await test_mac_sign_async(request_type=dict) -def test_update_crypto_key_primary_version_field_headers(): +def test_mac_sign_field_headers(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.UpdateCryptoKeyPrimaryVersionRequest() + request = service.MacSignRequest() request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.update_crypto_key_primary_version), "__call__" - ) as call: - call.return_value = resources.CryptoKey() - client.update_crypto_key_primary_version(request) + with mock.patch.object(type(client.transport.mac_sign), "__call__") as call: + call.return_value = service.MacSignResponse() + client.mac_sign(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 @@ -5870,23 +6668,23 @@ def test_update_crypto_key_primary_version_field_headers(): @pytest.mark.asyncio -async def test_update_crypto_key_primary_version_field_headers_async(): +async def test_mac_sign_field_headers_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.UpdateCryptoKeyPrimaryVersionRequest() + request = service.MacSignRequest() request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.update_crypto_key_primary_version), "__call__" - ) as call: - call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey()) - await client.update_crypto_key_primary_version(request) + with mock.patch.object(type(client.transport.mac_sign), "__call__") as call: + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.MacSignResponse() + ) + await client.mac_sign(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) @@ -5898,21 +6696,19 @@ async def test_update_crypto_key_primary_version_field_headers_async(): assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] -def test_update_crypto_key_primary_version_flattened(): +def test_mac_sign_flattened(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.update_crypto_key_primary_version), "__call__" - ) as call: + with mock.patch.object(type(client.transport.mac_sign), "__call__") as call: # Designate an appropriate return value for the call. - call.return_value = resources.CryptoKey() + call.return_value = service.MacSignResponse() # Call the method with a truthy value for each flattened field, # using the keyword arguments to the method. - client.update_crypto_key_primary_version( - name="name_value", crypto_key_version_id="crypto_key_version_id_value", + client.mac_sign( + name="name_value", data=b"data_blob", ) # Establish that the underlying call was made with the expected @@ -5920,10 +6716,10 @@ def test_update_crypto_key_primary_version_flattened(): assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] assert args[0].name == "name_value" - assert args[0].crypto_key_version_id == "crypto_key_version_id_value" + assert args[0].data == b"data_blob" -def test_update_crypto_key_primary_version_flattened_error(): +def test_mac_sign_flattened_error(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) @@ -5931,43 +6727,39 @@ def test_update_crypto_key_primary_version_flattened_error(): # Attempting to call a method with both a request object and flattened # fields is an error. with pytest.raises(ValueError): - client.update_crypto_key_primary_version( - service.UpdateCryptoKeyPrimaryVersionRequest(), - name="name_value", - crypto_key_version_id="crypto_key_version_id_value", + client.mac_sign( + service.MacSignRequest(), name="name_value", data=b"data_blob", ) @pytest.mark.asyncio -async def test_update_crypto_key_primary_version_flattened_async(): +async def test_mac_sign_flattened_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.update_crypto_key_primary_version), "__call__" - ) as call: + with mock.patch.object(type(client.transport.mac_sign), "__call__") as call: # Designate an appropriate return value for the call. - call.return_value = resources.CryptoKey() + call.return_value = service.MacSignResponse() - call.return_value = grpc_helpers_async.FakeUnaryUnaryCall(resources.CryptoKey()) + call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( + service.MacSignResponse() + ) # Call the method with a truthy value for each flattened field, # using the keyword arguments to the method. - response = await client.update_crypto_key_primary_version( - name="name_value", crypto_key_version_id="crypto_key_version_id_value", - ) + response = await client.mac_sign(name="name_value", data=b"data_blob",) # Establish that the underlying call was made with the expected # request object values. assert len(call.mock_calls) _, args, _ = call.mock_calls[0] assert args[0].name == "name_value" - assert args[0].crypto_key_version_id == "crypto_key_version_id_value" + assert args[0].data == b"data_blob" @pytest.mark.asyncio -async def test_update_crypto_key_primary_version_flattened_error_async(): +async def test_mac_sign_flattened_error_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) @@ -5975,16 +6767,12 @@ async def test_update_crypto_key_primary_version_flattened_error_async(): # Attempting to call a method with both a request object and flattened # fields is an error. with pytest.raises(ValueError): - await client.update_crypto_key_primary_version( - service.UpdateCryptoKeyPrimaryVersionRequest(), - name="name_value", - crypto_key_version_id="crypto_key_version_id_value", + await client.mac_sign( + service.MacSignRequest(), name="name_value", data=b"data_blob", ) -def test_destroy_crypto_key_version( - transport: str = "grpc", request_type=service.DestroyCryptoKeyVersionRequest -): +def test_mac_verify(transport: str = "grpc", request_type=service.MacVerifyRequest): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, ) @@ -5994,46 +6782,38 @@ def test_destroy_crypto_key_version( request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.destroy_crypto_key_version), "__call__" - ) as call: + with mock.patch.object(type(client.transport.mac_verify), "__call__") as call: # Designate an appropriate return value for the call. - call.return_value = resources.CryptoKeyVersion( + call.return_value = service.MacVerifyResponse( name="name_value", - state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION, + success=True, + verified_data_crc32c=True, + verified_mac_crc32c=True, + verified_success_integrity=True, protection_level=resources.ProtectionLevel.SOFTWARE, - algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, - import_job="import_job_value", - import_failure_reason="import_failure_reason_value", ) - response = client.destroy_crypto_key_version(request) + response = client.mac_verify(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0] == service.DestroyCryptoKeyVersionRequest() + assert args[0] == service.MacVerifyRequest() # Establish that the response is the type that we expect. - assert isinstance(response, resources.CryptoKeyVersion) + assert isinstance(response, service.MacVerifyResponse) assert response.name == "name_value" - assert ( - response.state - == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION - ) + assert response.success is True + assert response.verified_data_crc32c is True + assert response.verified_mac_crc32c is True + assert response.verified_success_integrity is True assert response.protection_level == resources.ProtectionLevel.SOFTWARE - assert ( - response.algorithm - == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - ) - assert response.import_job == "import_job_value" - assert response.import_failure_reason == "import_failure_reason_value" -def test_destroy_crypto_key_version_from_dict(): - test_destroy_crypto_key_version(request_type=dict) +def test_mac_verify_from_dict(): + test_mac_verify(request_type=dict) -def test_destroy_crypto_key_version_empty_call(): +def test_mac_verify_empty_call(): # This test is a coverage failsafe to make sure that totally empty calls, # i.e. request == None and no flattened fields passed, work. client = KeyManagementServiceClient( @@ -6041,18 +6821,16 @@ def test_destroy_crypto_key_version_empty_call(): ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.destroy_crypto_key_version), "__call__" - ) as call: - client.destroy_crypto_key_version() + with mock.patch.object(type(client.transport.mac_verify), "__call__") as call: + client.mac_verify() call.assert_called() _, args, _ = call.mock_calls[0] - assert args[0] == service.DestroyCryptoKeyVersionRequest() + assert args[0] == service.MacVerifyRequest() @pytest.mark.asyncio -async def test_destroy_crypto_key_version_async( - transport: str = "grpc_asyncio", request_type=service.DestroyCryptoKeyVersionRequest +async def test_mac_verify_async( + transport: str = "grpc_asyncio", request_type=service.MacVerifyRequest ): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, @@ -6063,65 +6841,55 @@ async def test_destroy_crypto_key_version_async( request = request_type() # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.destroy_crypto_key_version), "__call__" - ) as call: + with mock.patch.object(type(client.transport.mac_verify), "__call__") as call: # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - resources.CryptoKeyVersion( + service.MacVerifyResponse( name="name_value", - state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION, + success=True, + verified_data_crc32c=True, + verified_mac_crc32c=True, + verified_success_integrity=True, protection_level=resources.ProtectionLevel.SOFTWARE, - algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, - import_job="import_job_value", - import_failure_reason="import_failure_reason_value", ) ) - response = await client.destroy_crypto_key_version(request) + response = await client.mac_verify(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0] == service.DestroyCryptoKeyVersionRequest() + assert args[0] == service.MacVerifyRequest() # Establish that the response is the type that we expect. - assert isinstance(response, resources.CryptoKeyVersion) + assert isinstance(response, service.MacVerifyResponse) assert response.name == "name_value" - assert ( - response.state - == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION - ) + assert response.success is True + assert response.verified_data_crc32c is True + assert response.verified_mac_crc32c is True + assert response.verified_success_integrity is True assert response.protection_level == resources.ProtectionLevel.SOFTWARE - assert ( - response.algorithm - == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - ) - assert response.import_job == "import_job_value" - assert response.import_failure_reason == "import_failure_reason_value" @pytest.mark.asyncio -async def test_destroy_crypto_key_version_async_from_dict(): - await test_destroy_crypto_key_version_async(request_type=dict) +async def test_mac_verify_async_from_dict(): + await test_mac_verify_async(request_type=dict) -def test_destroy_crypto_key_version_field_headers(): +def test_mac_verify_field_headers(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.DestroyCryptoKeyVersionRequest() + request = service.MacVerifyRequest() request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.destroy_crypto_key_version), "__call__" - ) as call: - call.return_value = resources.CryptoKeyVersion() - client.destroy_crypto_key_version(request) + with mock.patch.object(type(client.transport.mac_verify), "__call__") as call: + call.return_value = service.MacVerifyResponse() + client.mac_verify(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 @@ -6134,25 +6902,23 @@ def test_destroy_crypto_key_version_field_headers(): @pytest.mark.asyncio -async def test_destroy_crypto_key_version_field_headers_async(): +async def test_mac_verify_field_headers_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.DestroyCryptoKeyVersionRequest() + request = service.MacVerifyRequest() request.name = "name/value" # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.destroy_crypto_key_version), "__call__" - ) as call: + with mock.patch.object(type(client.transport.mac_verify), "__call__") as call: call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - resources.CryptoKeyVersion() + service.MacVerifyResponse() ) - await client.destroy_crypto_key_version(request) + await client.mac_verify(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) @@ -6164,29 +6930,31 @@ async def test_destroy_crypto_key_version_field_headers_async(): assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] -def test_destroy_crypto_key_version_flattened(): +def test_mac_verify_flattened(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.destroy_crypto_key_version), "__call__" - ) as call: + with mock.patch.object(type(client.transport.mac_verify), "__call__") as call: # Designate an appropriate return value for the call. - call.return_value = resources.CryptoKeyVersion() + call.return_value = service.MacVerifyResponse() # Call the method with a truthy value for each flattened field, # using the keyword arguments to the method. - client.destroy_crypto_key_version(name="name_value",) + client.mac_verify( + name="name_value", data=b"data_blob", mac=b"mac_blob", + ) # Establish that the underlying call was made with the expected # request object values. assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] assert args[0].name == "name_value" + assert args[0].data == b"data_blob" + assert args[0].mac == b"mac_blob" -def test_destroy_crypto_key_version_flattened_error(): +def test_mac_verify_flattened_error(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) @@ -6194,40 +6962,45 @@ def test_destroy_crypto_key_version_flattened_error(): # Attempting to call a method with both a request object and flattened # fields is an error. with pytest.raises(ValueError): - client.destroy_crypto_key_version( - service.DestroyCryptoKeyVersionRequest(), name="name_value", + client.mac_verify( + service.MacVerifyRequest(), + name="name_value", + data=b"data_blob", + mac=b"mac_blob", ) @pytest.mark.asyncio -async def test_destroy_crypto_key_version_flattened_async(): +async def test_mac_verify_flattened_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) # Mock the actual call within the gRPC stub, and fake the request. - with mock.patch.object( - type(client.transport.destroy_crypto_key_version), "__call__" - ) as call: + with mock.patch.object(type(client.transport.mac_verify), "__call__") as call: # Designate an appropriate return value for the call. - call.return_value = resources.CryptoKeyVersion() + call.return_value = service.MacVerifyResponse() call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - resources.CryptoKeyVersion() + service.MacVerifyResponse() ) # Call the method with a truthy value for each flattened field, # using the keyword arguments to the method. - response = await client.destroy_crypto_key_version(name="name_value",) + response = await client.mac_verify( + name="name_value", data=b"data_blob", mac=b"mac_blob", + ) # Establish that the underlying call was made with the expected # request object values. assert len(call.mock_calls) _, args, _ = call.mock_calls[0] assert args[0].name == "name_value" + assert args[0].data == b"data_blob" + assert args[0].mac == b"mac_blob" @pytest.mark.asyncio -async def test_destroy_crypto_key_version_flattened_error_async(): +async def test_mac_verify_flattened_error_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) @@ -6235,13 +7008,16 @@ async def test_destroy_crypto_key_version_flattened_error_async(): # Attempting to call a method with both a request object and flattened # fields is an error. with pytest.raises(ValueError): - await client.destroy_crypto_key_version( - service.DestroyCryptoKeyVersionRequest(), name="name_value", + await client.mac_verify( + service.MacVerifyRequest(), + name="name_value", + data=b"data_blob", + mac=b"mac_blob", ) -def test_restore_crypto_key_version( - transport: str = "grpc", request_type=service.RestoreCryptoKeyVersionRequest +def test_generate_random_bytes( + transport: str = "grpc", request_type=service.GenerateRandomBytesRequest ): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, @@ -6253,45 +7029,27 @@ def test_restore_crypto_key_version( # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client.transport.restore_crypto_key_version), "__call__" + type(client.transport.generate_random_bytes), "__call__" ) as call: # Designate an appropriate return value for the call. - call.return_value = resources.CryptoKeyVersion( - name="name_value", - state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION, - protection_level=resources.ProtectionLevel.SOFTWARE, - algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, - import_job="import_job_value", - import_failure_reason="import_failure_reason_value", - ) - response = client.restore_crypto_key_version(request) + call.return_value = service.GenerateRandomBytesResponse(data=b"data_blob",) + response = client.generate_random_bytes(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0] == service.RestoreCryptoKeyVersionRequest() + assert args[0] == service.GenerateRandomBytesRequest() # Establish that the response is the type that we expect. - assert isinstance(response, resources.CryptoKeyVersion) - assert response.name == "name_value" - assert ( - response.state - == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION - ) - assert response.protection_level == resources.ProtectionLevel.SOFTWARE - assert ( - response.algorithm - == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - ) - assert response.import_job == "import_job_value" - assert response.import_failure_reason == "import_failure_reason_value" + assert isinstance(response, service.GenerateRandomBytesResponse) + assert response.data == b"data_blob" -def test_restore_crypto_key_version_from_dict(): - test_restore_crypto_key_version(request_type=dict) +def test_generate_random_bytes_from_dict(): + test_generate_random_bytes(request_type=dict) -def test_restore_crypto_key_version_empty_call(): +def test_generate_random_bytes_empty_call(): # This test is a coverage failsafe to make sure that totally empty calls, # i.e. request == None and no flattened fields passed, work. client = KeyManagementServiceClient( @@ -6300,17 +7058,17 @@ def test_restore_crypto_key_version_empty_call(): # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client.transport.restore_crypto_key_version), "__call__" + type(client.transport.generate_random_bytes), "__call__" ) as call: - client.restore_crypto_key_version() + client.generate_random_bytes() call.assert_called() _, args, _ = call.mock_calls[0] - assert args[0] == service.RestoreCryptoKeyVersionRequest() + assert args[0] == service.GenerateRandomBytesRequest() @pytest.mark.asyncio -async def test_restore_crypto_key_version_async( - transport: str = "grpc_asyncio", request_type=service.RestoreCryptoKeyVersionRequest +async def test_generate_random_bytes_async( + transport: str = "grpc_asyncio", request_type=service.GenerateRandomBytesRequest ): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), transport=transport, @@ -6322,64 +7080,46 @@ async def test_restore_crypto_key_version_async( # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client.transport.restore_crypto_key_version), "__call__" + type(client.transport.generate_random_bytes), "__call__" ) as call: # Designate an appropriate return value for the call. call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - resources.CryptoKeyVersion( - name="name_value", - state=resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION, - protection_level=resources.ProtectionLevel.SOFTWARE, - algorithm=resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION, - import_job="import_job_value", - import_failure_reason="import_failure_reason_value", - ) + service.GenerateRandomBytesResponse(data=b"data_blob",) ) - response = await client.restore_crypto_key_version(request) + response = await client.generate_random_bytes(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0] == service.RestoreCryptoKeyVersionRequest() + assert args[0] == service.GenerateRandomBytesRequest() # Establish that the response is the type that we expect. - assert isinstance(response, resources.CryptoKeyVersion) - assert response.name == "name_value" - assert ( - response.state - == resources.CryptoKeyVersion.CryptoKeyVersionState.PENDING_GENERATION - ) - assert response.protection_level == resources.ProtectionLevel.SOFTWARE - assert ( - response.algorithm - == resources.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION - ) - assert response.import_job == "import_job_value" - assert response.import_failure_reason == "import_failure_reason_value" + assert isinstance(response, service.GenerateRandomBytesResponse) + assert response.data == b"data_blob" @pytest.mark.asyncio -async def test_restore_crypto_key_version_async_from_dict(): - await test_restore_crypto_key_version_async(request_type=dict) +async def test_generate_random_bytes_async_from_dict(): + await test_generate_random_bytes_async(request_type=dict) -def test_restore_crypto_key_version_field_headers(): +def test_generate_random_bytes_field_headers(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.RestoreCryptoKeyVersionRequest() + request = service.GenerateRandomBytesRequest() - request.name = "name/value" + request.location = "location/value" # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client.transport.restore_crypto_key_version), "__call__" + type(client.transport.generate_random_bytes), "__call__" ) as call: - call.return_value = resources.CryptoKeyVersion() - client.restore_crypto_key_version(request) + call.return_value = service.GenerateRandomBytesResponse() + client.generate_random_bytes(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) == 1 @@ -6388,29 +7128,29 @@ def test_restore_crypto_key_version_field_headers(): # Establish that the field header was sent. _, _, kw = call.mock_calls[0] - assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + assert ("x-goog-request-params", "location=location/value",) in kw["metadata"] @pytest.mark.asyncio -async def test_restore_crypto_key_version_field_headers_async(): +async def test_generate_random_bytes_field_headers_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) # Any value that is part of the HTTP/1.1 URI should be sent as # a field header. Set these to a non-empty value. - request = service.RestoreCryptoKeyVersionRequest() + request = service.GenerateRandomBytesRequest() - request.name = "name/value" + request.location = "location/value" # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client.transport.restore_crypto_key_version), "__call__" + type(client.transport.generate_random_bytes), "__call__" ) as call: call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - resources.CryptoKeyVersion() + service.GenerateRandomBytesResponse() ) - await client.restore_crypto_key_version(request) + await client.generate_random_bytes(request) # Establish that the underlying gRPC stub method was called. assert len(call.mock_calls) @@ -6419,32 +7159,38 @@ async def test_restore_crypto_key_version_field_headers_async(): # Establish that the field header was sent. _, _, kw = call.mock_calls[0] - assert ("x-goog-request-params", "name=name/value",) in kw["metadata"] + assert ("x-goog-request-params", "location=location/value",) in kw["metadata"] -def test_restore_crypto_key_version_flattened(): +def test_generate_random_bytes_flattened(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client.transport.restore_crypto_key_version), "__call__" + type(client.transport.generate_random_bytes), "__call__" ) as call: # Designate an appropriate return value for the call. - call.return_value = resources.CryptoKeyVersion() + call.return_value = service.GenerateRandomBytesResponse() # Call the method with a truthy value for each flattened field, # using the keyword arguments to the method. - client.restore_crypto_key_version(name="name_value",) + client.generate_random_bytes( + location="location_value", + length_bytes=1288, + protection_level=resources.ProtectionLevel.SOFTWARE, + ) # Establish that the underlying call was made with the expected # request object values. assert len(call.mock_calls) == 1 _, args, _ = call.mock_calls[0] - assert args[0].name == "name_value" + assert args[0].location == "location_value" + assert args[0].length_bytes == 1288 + assert args[0].protection_level == resources.ProtectionLevel.SOFTWARE -def test_restore_crypto_key_version_flattened_error(): +def test_generate_random_bytes_flattened_error(): client = KeyManagementServiceClient( credentials=ga_credentials.AnonymousCredentials(), ) @@ -6452,40 +7198,49 @@ def test_restore_crypto_key_version_flattened_error(): # Attempting to call a method with both a request object and flattened # fields is an error. with pytest.raises(ValueError): - client.restore_crypto_key_version( - service.RestoreCryptoKeyVersionRequest(), name="name_value", + client.generate_random_bytes( + service.GenerateRandomBytesRequest(), + location="location_value", + length_bytes=1288, + protection_level=resources.ProtectionLevel.SOFTWARE, ) @pytest.mark.asyncio -async def test_restore_crypto_key_version_flattened_async(): +async def test_generate_random_bytes_flattened_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) # Mock the actual call within the gRPC stub, and fake the request. with mock.patch.object( - type(client.transport.restore_crypto_key_version), "__call__" + type(client.transport.generate_random_bytes), "__call__" ) as call: # Designate an appropriate return value for the call. - call.return_value = resources.CryptoKeyVersion() + call.return_value = service.GenerateRandomBytesResponse() call.return_value = grpc_helpers_async.FakeUnaryUnaryCall( - resources.CryptoKeyVersion() + service.GenerateRandomBytesResponse() ) # Call the method with a truthy value for each flattened field, # using the keyword arguments to the method. - response = await client.restore_crypto_key_version(name="name_value",) + response = await client.generate_random_bytes( + location="location_value", + length_bytes=1288, + protection_level=resources.ProtectionLevel.SOFTWARE, + ) # Establish that the underlying call was made with the expected # request object values. assert len(call.mock_calls) _, args, _ = call.mock_calls[0] - assert args[0].name == "name_value" + assert args[0].location == "location_value" + assert args[0].length_bytes == 1288 + assert args[0].protection_level == resources.ProtectionLevel.SOFTWARE @pytest.mark.asyncio -async def test_restore_crypto_key_version_flattened_error_async(): +async def test_generate_random_bytes_flattened_error_async(): client = KeyManagementServiceAsyncClient( credentials=ga_credentials.AnonymousCredentials(), ) @@ -6493,8 +7248,11 @@ async def test_restore_crypto_key_version_flattened_error_async(): # Attempting to call a method with both a request object and flattened # fields is an error. with pytest.raises(ValueError): - await client.restore_crypto_key_version( - service.RestoreCryptoKeyVersionRequest(), name="name_value", + await client.generate_random_bytes( + service.GenerateRandomBytesRequest(), + location="location_value", + length_bytes=1288, + protection_level=resources.ProtectionLevel.SOFTWARE, ) @@ -6613,13 +7371,16 @@ def test_key_management_service_base_transport(): "create_import_job", "update_crypto_key", "update_crypto_key_version", + "update_crypto_key_primary_version", + "destroy_crypto_key_version", + "restore_crypto_key_version", "encrypt", "decrypt", "asymmetric_sign", "asymmetric_decrypt", - "update_crypto_key_primary_version", - "destroy_crypto_key_version", - "restore_crypto_key_version", + "mac_sign", + "mac_verify", + "generate_random_bytes", "set_iam_policy", "get_iam_policy", "test_iam_permissions",