feat: add support for external key manager (via synth)

.coveragerc

@@ -1,3 +1,19 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Generated by synthtool. DO NOT EDIT!
 [run]
 branch = True

.flake8

@@ -1,3 +1,19 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Generated by synthtool. DO NOT EDIT!
 [flake8]
 ignore = E203, E266, E501, W503

.github/ISSUE_TEMPLATE/bug_report.md

@@ -11,8 +11,7 @@ Thanks for stopping by to let us know something could be better!
 Please run down the following list and make sure you've tried the usual "quick fixes":
 
   - Search the issues already opened: https://github.com/googleapis/python-kms/issues
-  - Search the issues on our "catch-all" repository: https://github.com/googleapis/google-cloud-python
-  - Search StackOverflow: http://stackoverflow.com/questions/tagged/google-cloud-platform+python
+  - Search StackOverflow: https://stackoverflow.com/questions/tagged/google-cloud-platform+python
 
 If you are still having issues, please be sure to include as much information as possible:
 

CONTRIBUTING.rst

@@ -22,7 +22,7 @@ In order to add a feature:
   documentation.
 
 - The feature must work fully on the following CPython versions:  2.7,
-  3.5, 3.6, and 3.7 on both UNIX and Windows.
+  3.5, 3.6, 3.7 and 3.8 on both UNIX and Windows.
 
 - The feature must not add unnecessary dependencies (where
   "unnecessary" is of course subjective, but new dependencies should
@@ -214,26 +214,18 @@ We support:
 -  `Python 3.5`_
 -  `Python 3.6`_
 -  `Python 3.7`_
+-  `Python 3.8`_
 
 .. _Python 3.5: https://docs.python.org/3.5/
 .. _Python 3.6: https://docs.python.org/3.6/
 .. _Python 3.7: https://docs.python.org/3.7/
+.. _Python 3.8: https://docs.python.org/3.8/
 
 
 Supported versions can be found in our ``noxfile.py`` `config`_.
 
 .. _config: https://github.com/googleapis/python-kms/blob/master/noxfile.py
 
-We explicitly decided not to support `Python 2.5`_ due to `decreased usage`_
-and lack of continuous integration `support`_.
-
-.. _Python 2.5: https://docs.python.org/2.5/
-.. _decreased usage: https://caremad.io/2013/10/a-look-at-pypi-downloads/
-.. _support: https://blog.travis-ci.com/2013-11-18-upcoming-build-environment-updates/
-
-We have `dropped 2.6`_ as a supported version as well since Python 2.6 is no
-longer supported by the core development team.
-
 Python 2.7 support is deprecated. All code changes should maintain Python 2.7 compatibility until January 1, 2020.
 
 We also explicitly decided to support Python 3 beginning with version
@@ -247,7 +239,6 @@ We also explicitly decided to support Python 3 beginning with version
 .. _prominent: https://docs.djangoproject.com/en/1.9/faq/install/#what-python-version-can-i-use-with-django
 .. _projects: http://flask.pocoo.org/docs/0.10/python3/
 .. _Unicode literal support: https://www.python.org/dev/peps/pep-0414/
-.. _dropped 2.6: https://github.com/googleapis/google-cloud-python/issues/995
 
 **********
 Versioning

MANIFEST.in

@@ -1,3 +1,19 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Generated by synthtool. DO NOT EDIT!
 include README.rst LICENSE
 recursive-include google *.json *.proto

google/cloud/kms_v1/gapic/enums.py

@@ -114,6 +114,7 @@ class CryptoKeyVersionAlgorithm(enum.IntEnum):
           RSA_DECRYPT_OAEP_4096_SHA512 (int): RSAES-OAEP 4096 bit key with a SHA512 digest.
           EC_SIGN_P256_SHA256 (int): ECDSA on the NIST P-256 curve with a SHA256 digest.
           EC_SIGN_P384_SHA384 (int): ECDSA on the NIST P-384 curve with a SHA384 digest.
+          EXTERNAL_SYMMETRIC_ENCRYPTION (int): Algorithm representing symmetric encryption by an external key manager.
         """
 
         CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0
@@ -132,6 +133,7 @@ class CryptoKeyVersionAlgorithm(enum.IntEnum):
         RSA_DECRYPT_OAEP_4096_SHA512 = 17
         EC_SIGN_P256_SHA256 = 12
         EC_SIGN_P384_SHA384 = 13
+        EXTERNAL_SYMMETRIC_ENCRYPTION = 18
 
     class CryptoKeyVersionState(enum.IntEnum):
         """

google/cloud/kms_v1/gapic/key_management_service_client.py

@@ -117,6 +117,7 @@ def crypto_key_path_path(cls, project, location, key_ring, crypto_key_path):
     def crypto_key_version_path(
         cls, project, location, key_ring, crypto_key, crypto_key_version
     ):
+
         """Return a fully-qualified crypto_key_version string."""
         return google.api_core.path_template.expand(
             "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}",
@@ -1676,7 +1677,8 @@ def encrypt(
             >>>
             >>> client = kms_v1.KeyManagementServiceClient()
             >>>
-            >>> name = client.crypto_key_path_path('[PROJECT]', '[LOCATION]', '[KEY_RING]', '[CRYPTO_KEY_PATH]')
+            >>> # TODO: Initialize `name`:
+            >>> name = ''
             >>>
             >>> # TODO: Initialize `plaintext`:
             >>> plaintext = b''
@@ -2320,7 +2322,8 @@ def set_iam_policy(
             >>>
             >>> client = kms_v1.KeyManagementServiceClient()
             >>>
-            >>> resource = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')
+            >>> # TODO: Initialize `resource`:
+            >>> resource = ''
             >>>
             >>> # TODO: Initialize `policy`:
             >>> policy = {}
@@ -2402,7 +2405,8 @@ def get_iam_policy(
             >>>
             >>> client = kms_v1.KeyManagementServiceClient()
             >>>
-            >>> resource = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')
+            >>> # TODO: Initialize `resource`:
+            >>> resource = ''
             >>>
             >>> response = client.get_iam_policy(resource)
 
@@ -2486,7 +2490,8 @@ def test_iam_permissions(
             >>>
             >>> client = kms_v1.KeyManagementServiceClient()
             >>>
-            >>> resource = client.key_ring_path('[PROJECT]', '[LOCATION]', '[KEY_RING]')
+            >>> # TODO: Initialize `resource`:
+            >>> resource = ''
             >>>
             >>> # TODO: Initialize `permissions`:
             >>> permissions = []

google/cloud/kms_v1/proto/resources.proto

@@ -1,4 +1,4 @@
-// Copyright 2019 Google LLC.
+// Copyright 2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,11 +16,11 @@ syntax = "proto3";
 
 package google.cloud.kms.v1;
 
-import "google/api/annotations.proto";
 import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/timestamp.proto";
+import "google/api/annotations.proto";
 
 option cc_enable_arenas = true;
 option csharp_namespace = "Google.Cloud.Kms.V1";
@@ -142,11 +142,6 @@ message CryptoKey {
   map<string, string> labels = 10;
 }
 
-option (google.api.resource_definition) = {
-    type: "cloudkms.googleapis.com/CryptoKey"
-    pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key_path=**}"
-};
-
 // A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating
 // a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with
 // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or
@@ -289,6 +284,9 @@ message CryptoKeyVersion {
 
     // ECDSA on the NIST P-384 curve with a SHA384 digest.
     EC_SIGN_P384_SHA384 = 13;
+
+    // Algorithm representing symmetric encryption by an external key manager.
+    EXTERNAL_SYMMETRIC_ENCRYPTION = 18;
   }
 
   // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used.
@@ -395,11 +393,21 @@ message CryptoKeyVersion {
   // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
   // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
   string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // ExternalProtectionLevelOptions stores a group of additional fields for
+  // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the
+  // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level.
+  ExternalProtectionLevelOptions external_protection_level_options = 17;
 }
 
 // The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via
 // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
 message PublicKey {
+  option (google.api.resource) = {
+    type: "cloudkms.googleapis.com/PublicKey"
+    pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey"
+  };
+
   // The public key, encoded in PEM format. For more information, see the
   // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
   // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
@@ -565,3 +573,11 @@ enum ProtectionLevel {
   // Crypto operations are performed by an external key manager.
   EXTERNAL = 3;
 }
+
+// ExternalProtectionLevelOptions stores a group of additional fields for
+// configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the
+// [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level.
+message ExternalProtectionLevelOptions {
+  // The URI for an external resource that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents.
+  string external_key_uri = 1;
+}