Skip to content

Support key version with KMS names to correctly recognize when to skip re-encryption #1705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
KDB223 wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Support key version with KMS names to correctly recognize when to skip re-encryption #1705

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ba6894e
fix: Accept version numbers for CMEK key names to correctly recognize…
KDB223 May 19, 2023
dd9068b
test: Add key versions to KMS names
KDB223 May 19, 2023
8b9abac
Revert "fix: Accept version numbers for CMEK key names to correctly r…
KDB223 May 21, 2023
a4fb9e6
Revert "test: Add key versions to KMS names"
KDB223 May 21, 2023
403390c
fix: Remove version number from src CMEK name to match with dest CMEK…
KDB223 May 21, 2023
0e1cdf8
style: Clean up to stay within 80 chars
KDB223 May 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions gslib/tests/test_kms.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ class TestKmsSubcommandsFailWhenXmlForced(testcase.GsUtilIntegrationTestCase):
('Credentials', 'gs_secret_access_key', 'dummysecret'),
]
dummy_keyname = ('projects/my-project/locations/us-central1/'
'keyRings/my-keyring/cryptoKeys/my-key')
'keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1')

def DoTestSubcommandFailsWhenXmlForcedFromHmacInBotoConfig(self, subcommand):
with SetBotoConfigForTest(self.boto_config_hmac_auth_only):
Expand Down Expand Up @@ -191,7 +191,7 @@ class TestKmsUnitTests(testcase.GsUtilUnitTestCase):
"""Unit tests for gsutil kms."""

dummy_keyname = ('projects/my-project/locations/us-central1/'
'keyRings/my-keyring/cryptoKeys/my-key')
'keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1')

@mock.patch(
'gslib.cloud_api_delegator.CloudApiDelegator.GetProjectServiceAccount')
Expand Down
5 changes: 3 additions & 2 deletions gslib/utils/encryption_helper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@
lambda: re.compile('projects/([^/]+)/'
'locations/([a-zA-Z0-9_-]{1,63})/'
'keyRings/([a-zA-Z0-9_-]{1,63})/'
'cryptoKeys/([a-zA-Z0-9_-]{1,63})$'))
'cryptoKeys/([a-zA-Z0-9_-]{1,63})/'
'cryptoKeyVersions/([0-9]{1,63})$'))
Copy link
Copy Markdown
Collaborator

@dilipped dilipped May 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the ValidateCMEK function seems to be getting used at multiple places and not every time we pass a key with CryptoKeyVersions (e.g. if you are reading it from boto config)?. I have a feeling that this might break other workflows.

Copy link
Copy Markdown
Author

@KDB223 KDB223 May 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, it will break a lot of things that rely on the CryptoKeyWrapper class.



class CryptoKeyType(object):
Expand Down Expand Up @@ -168,7 +169,7 @@ def ValidateCMEK(key):
raise CommandException(
'Invalid KMS key name: "%s".\nKMS keys should follow the format '
'"projects/<project-id>/locations/<location>/keyRings/<keyring>/'
'cryptoKeys/<key-name>"' % key)
'cryptoKeys/<key-name>/cryptoKeyVersions/<version-number>"' % key)


def _CalculateSha256FromString(input_string):
Expand Down