Skip to content

Commit

Permalink
Merge pull request #4019 from ozer550/UPDATE_PYTHON_KMS
Browse files Browse the repository at this point in the history
Migrate python-kms to 2.0.0
  • Loading branch information
bjester authored May 10, 2023
2 parents 6abbbba + ee2d497 commit 7af004e
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 134 deletions.
33 changes: 29 additions & 4 deletions contentcuration/contentcuration/utils/secretmanagement.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@
import logging
import os

from google.cloud import kms_v1
import six
from google.cloud import kms
from google.cloud.storage import Client
from google_crc32c import value as _crc32c

ENV_VARS = "ENV_VARS"
KMS_GCS = 2
Expand Down Expand Up @@ -71,10 +73,22 @@ def decrypt_secret(ciphertext, project_id, loc, env, secret_name):
"""
Decrypt the ciphertext by using the GCloud KMS keys for that secret.
"""
kms_client = kms_v1.KeyManagementServiceClient()
key_path = kms_client.crypto_key_path_path(project_id, loc, env, secret_name)
kms_client = kms.KeyManagementServiceClient()
key_path = kms_client.crypto_key_path(project_id, loc, env, secret_name)

# Optional, but recommended: compute ciphertext's CRC32C.
# See crc32c() function defined below.
ciphertext_crc32c = crc32c(ciphertext)

response = kms_client.decrypt(
request={'name': key_path, 'ciphertext': ciphertext, 'ciphertext_crc32c': ciphertext_crc32c})

# Optional, but recommended: perform integrity verification on decrypt_response.
# For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:
# https://cloud.google.com/kms/docs/data-integrity-guidelines
if not response.plaintext_crc32c == crc32c(response.plaintext):
raise Exception('The response received from the server was corrupted in-transit.')

response = kms_client.decrypt(key_path, ciphertext)
return response.plaintext


Expand Down Expand Up @@ -103,3 +117,14 @@ def get_encrypted_secret(secret_name, project_id, env):
)

return ret


def crc32c(data):
"""
Calculates the CRC32C checksum of the provided data.
Args:
data: the bytes over which the checksum should be calculated.
Returns:
An int representing the CRC32C checksum of the provided bytes.
"""
return _crc32c(six.ensure_binary(data))
125 changes: 0 additions & 125 deletions deploy/secretmanage

This file was deleted.

7 changes: 5 additions & 2 deletions requirements-dev.txt
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ pytz==2022.1
# django
pyyaml==6.0
# via
# -c requirements.txt
# aspy-yaml
# pre-commit
pyzmq==23.1.0
Expand Down Expand Up @@ -257,8 +258,10 @@ tomli==1.2.3
# build
# coverage
# pep517
typing-extensions==4.1.1
# via locust
typing-extensions==4.5.0
# via
# -c requirements.txt
# locust
uritemplate==3.0.1
# via
# coreapi
Expand Down
3 changes: 2 additions & 1 deletion requirements.in
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ google-cloud-core
django-db-readonly==0.7.0
oauth2client
django-mathfilters
google-cloud-kms==1.4.0
google-cloud-kms==2.0.0
google-crc32c==1.1.2
backoff
backports-abc==0.5
django-model-utils==4.3.1
Expand Down
19 changes: 17 additions & 2 deletions requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -121,14 +121,16 @@ google-cloud-core==1.7.3
# google-cloud-storage
google-cloud-error-reporting==1.4.0
# via -r requirements.in
google-cloud-kms==1.4.0
google-cloud-kms==2.0.0
# via -r requirements.in
google-cloud-logging==2.3.1
# via google-cloud-error-reporting
google-cloud-storage==1.41.1
# via -r requirements.in
google-crc32c==1.1.2
# via google-resumable-media
# via
# -r requirements.in
# google-resumable-media
google-resumable-media==1.3.0
# via google-cloud-storage
googleapis-common-protos[grpc]==1.57.0
Expand Down Expand Up @@ -166,6 +168,10 @@ kombu==5.2.4
# via celery
le-utils==0.1.42
# via -r requirements.in
libcst==0.4.9
# via google-cloud-kms
mypy-extensions==1.0.0
# via typing-inspect
newrelic==6.2.0.156
# via -r requirements.in
oauth2client==4.1.3
Expand All @@ -185,6 +191,7 @@ prompt-toolkit==3.0.23
proto-plus==1.18.1
# via
# google-cloud-error-reporting
# google-cloud-kms
# google-cloud-logging
protobuf==3.20.3
# via
Expand Down Expand Up @@ -222,6 +229,8 @@ pytz==2022.1
# django
# django-postmark
# google-api-core
pyyaml==6.0
# via libcst
redis==4.5.4
# via
# -r requirements.in
Expand Down Expand Up @@ -251,6 +260,12 @@ six==1.16.0
# python-dateutil
sqlparse==0.4.1
# via django
typing-extensions==4.5.0
# via
# libcst
# typing-inspect
typing-inspect==0.8.0
# via libcst
urllib3==1.26.14
# via
# botocore
Expand Down

0 comments on commit 7af004e

Please sign in to comment.