o ɶd/@sddlmZddlZddlZddlmZddlmZddlm Z m Z m Z ddl m Z mZmZddlmZmZmZeejGdd d eZGd d d eZeejGd d d eZGdddeZGdddeZdS))sixN) algorithms) ServiceError)KeyShapeGenerateKeyDetailsDecryptDataDetails)KmsCryptoClientKmsManagementClientKmsVaultClient)convert_to_strverify_crc32_checksumraise_runtime_error_fromc@s,eZdZdZejddZejddZdS)MasterKeyProviderzn An abstract base class defining methods to vend MasterKeys for use in encryption and decryption. cCdS)zv Returns the primary master key for this MasterKeyProvider. :rtype: oci.encryption.MasterKey Nselfrr@usr/lib/python3.10/site-packages/oci/encryption/key_providers.pyget_primary_master_keyz(MasterKeyProvider.get_primary_master_keycKr)zz Returns a specific master key based on the arguments provided. :rtype: oci.encryption.MasterKey Nr)rkwargsrrrget_master_key$rz MasterKeyProvider.get_master_keyN)__name__ __module__ __qualname____doc__abcabstractmethodrrrrrrrs  rc@s&eZdZdddZddZddZdS) KMSMasterKeyProviderNcKs^|durt|dkrtdd|_|r|d|_|d|_||_|js+|js-tddSdS)ak :param dict config: (required) An OCI config dict used to create underlying clients to talk to OCI KMS. Note, the 'region' in this config must match the region that the key / vault exist in otherwise they will not be found. :param list[KMSMasterKey] kms_master_keys: (optional) A list of KMSMasterKeys. Currently a max of 1 master key is supported. For decryption, you can use a KMSMasterKeyProvder with no master keys. :param signer: (optional) The signer to use when signing requests made by the service client. The default is to use a :py:class:`~oci.signer.Signer` based on the values provided in the config parameter. One use case for this parameter is for `Instance Principals authentication `__ by passing an instance of :py:class:`~oci.auth.signers.InstancePrincipalsSecurityTokenSigner` as the value for this keyword argument :type signer: :py:class:`~oci.signer.AbstractBaseSigner` NzGOnly one KMS master key is currently supported for KMSMasterKeyProviderrsigner+Either a config or signer must be passed in)len ValueErrorprimary_master_keygetr config)rr&Zkms_master_keysrrrr__init__/s   zKMSMasterKeyProvider.__init__cC|jSN)r$rrrrrRsz+KMSMasterKeyProvider.get_primary_master_keycKs^|ds td|jr|j|dkr|jS|j}|jr$|j|d<tdd|i|}|S)a8 Get a KMSMasterKey based on the provided parameters. If this key provider already has the KMSMasterKey that was requested, it will return it. If it does not have a representation of the KMSMasterKey locally, it will attempt to retrieve it from KMS. :param str master_key_id: (required) The OCID of this master key :param str vault_id: (optional) The OCID of the vault this master key resides in :param str region: (optional) The region this master key resides in master_key_idz/keyword argument master_key_id must not be Noner r&Nr)r%r#r$get_identifierr&r KMSMasterKey)rrZmaster_key_configZkms_master_keyrrrrUs  z#KMSMasterKeyProvider.get_master_keyr))rrrr'rrrrrrr.s # rc@s:eZdZdZejddZejddZejddZdS) MasterKeyzz An abstract base class representing a MasterKey resource to be used in encryption and decryption operations. cCr)a Generates a data encryption key (DEK) based on the algorithm provided using this MasterKey. The returned DataEncryptionKey includes a copy of the DEK encrypted under this MasterKey. :param oci.encryption.algorithms.Algorithm algorithm: (required) The algorithm the key will be used for. :rtype: oci.encryption.key_providers.DataEncryptionKey Nr)r algorithmrrrgenerate_data_encryption_key}s z&MasterKey.generate_data_encryption_keycCr) Decrypts and returns bytes that were encrypted under this master key. :param bytes bytes_to_decrypt: (required) The bytes to decrypt using this MasterKey. :rtype: bytes Nr)rbytes_to_decryptrrrdecrypts zMasterKey.decryptcCr)zP Returns an identifier for this MasterKey. :rtype: str Nrrrrrr+rzMasterKey.get_identifierN) rrrrrrr/r2r+rrrrr-ws   r-c@s,eZdZddZddZddZddZd S) r,c Ks|s |ds tdd|_|dr|d|_nd|vr$|d|_n |dr0|dj|_t|fi|}|j|jz||j}Wntyf}zdj ||jd}t ||WYd}~nd}~wwt |fd|j i||_ t|fd|ji||_||_|j|_dS)a Represents a MasterKey contained in the OCI Key Management Service. :param dict config: (required) An OCI config dict used to create underlying clients to talk to OCI KMS. Note, the 'region' in this config must match the region that the key / vault exist in otherwise they will not be found. :param str master_key_id: (required) The OCID of the KMS master key :param str vault_id: (required) The OCID of the vault containing the master key :param signer: (optional) The signer to use when signing requests made by the service client. The default is to use a :py:class:`~oci.signer.Signer` based on the values provided in the config parameter. One use case for this parameter is for `Instance Principals authentication `__ by passing an instance of :py:class:`~oci.auth.signers.InstancePrincipalsSecurityTokenSigner` as the value for this keyword argument :type signer: :py:class:`~oci.signer.AbstractBaseSigner` :param str region: (optional) The region this master key resides in r r!NregionzFFailed to access vaultId: {vault_id} while targeting region: {region}.)vault_idr3Zservice_endpoint)r%r#r3r Z base_clientZ set_regionZ get_vaultdatarformatr r Zmanagement_endpointZkms_management_clientrZcrypto_endpointkms_crypto_clientr*idr4) rr&r*r4rZkms_vault_clientZvault service_errormessagerrrr'sL    zKMSMasterKey.__init__c Cst}|jjtjjkrtdtj|_|j|_t }d|_ |j |_ ||_ z |j|j}Wn tyM}zdj|j |jd}t||WYd}~nd}~wwt|j}t|j}t|||jdS)NzNOnly AES is currently supported for client side encryption with KMS master keyTzlFailed to generate data encryption key using masterKeyId: {master_key_id} while targeting vault: {vault_id}.r*r4)plaintext_key_bytesencrypted_key_bytesplaintext_key_checksum)rr.namerZAESr#Z ALGORITHM_AESZkey_lenlengthrZinclude_plaintext_keyr*key_idZ key_shaper7r/r5rr6r4r base64 b64decode plaintext ciphertextDataEncryptionKeyplaintext_checksum) rr.Z dek_key_shapeZgenerate_key_detailsZ generated_keyr9r:Zdek_plaintext_bytesZdek_ciphertext_bytesrrrr/s@  z)KMSMasterKey.generate_data_encryption_keyc Cst}tt||_|j|_z |j|j }Wn t y8}zdj |j|j d}t ||WYd}~nd}~wwtt|j|j|jS)r0zkFailed to decrypt data encryption key using masterKeyId: {master_key_id} while targeting vault: {vault_id}.r;N)rr rB b64encoderEr*rAr7r2r5rr6r4r r rCrDrG)rr1Zdecrypt_data_detailsZdecrypted_datar9r:rrrr2s(  zKMSMasterKey.decryptcCr()zm Returns the OCID of this master key in the OCI Key Management Service. :rtype: str )r*rrrrr+'szKMSMasterKey.get_identifierN)rrrr'r/r2r+rrrrr,s ?% !r,c@seZdZdZ dddZdS)rFzP Represents a data encryption key used to encrypt and decrypt payloads. NcCs*||_||_||_|jrt||dSdS)aX :param bytes plaintext_key_bytes: The bytes of the data encryption key in plaintext :param bytes encrypted_key_bytes: The bytes of the data encrypted key encrypted under a master key :param str plaintext_key_checksum: The crc32 checsum of the plaintext data encryption key N)r<r=r>r )rr<r=r>rrrr'4s  zDataEncryptionKey.__init__r))rrrrr'rrrrrF0srF)Z oci._vendorrrrBZ&cryptography.hazmat.primitives.ciphersrZoci.exceptionsrZoci.key_management.modelsrrrZoci.key_managementrr r Zoci.encryption.internal.utilsr r r Z add_metaclassABCMetaobjectrrr-r,rFrrrrs     I)