Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate python-kms to 2.0.0 #4019

Merged
merged 3 commits into from
May 10, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 29 additions & 4 deletions contentcuration/contentcuration/utils/secretmanagement.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@
import logging
import os

from google.cloud import kms_v1
import six
from google.cloud import kms
from google.cloud.storage import Client
from google_crc32c import value as _crc32c

ENV_VARS = "ENV_VARS"
KMS_GCS = 2
Expand Down Expand Up @@ -71,10 +73,22 @@ def decrypt_secret(ciphertext, project_id, loc, env, secret_name):
"""
Decrypt the ciphertext by using the GCloud KMS keys for that secret.
"""
kms_client = kms_v1.KeyManagementServiceClient()
key_path = kms_client.crypto_key_path_path(project_id, loc, env, secret_name)
kms_client = kms.KeyManagementServiceClient()
key_path = kms_client.crypto_key_path(project_id, loc, env, secret_name)

# Optional, but recommended: compute ciphertext's CRC32C.
# See crc32c() function defined below.
ciphertext_crc32c = crc32c(ciphertext)

response = kms_client.decrypt(
request={'name': key_path, 'ciphertext': ciphertext, 'ciphertext_crc32c': ciphertext_crc32c})

# Optional, but recommended: perform integrity verification on decrypt_response.
# For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:
# https://cloud.google.com/kms/docs/data-integrity-guidelines
if not response.plaintext_crc32c == crc32c(response.plaintext):
raise Exception('The response received from the server was corrupted in-transit.')

response = kms_client.decrypt(key_path, ciphertext)
return response.plaintext


Expand Down Expand Up @@ -103,3 +117,14 @@ def get_encrypted_secret(secret_name, project_id, env):
)

return ret


def crc32c(data):
"""
Calculates the CRC32C checksum of the provided data.
Args:
data: the bytes over which the checksum should be calculated.
Returns:
An int representing the CRC32C checksum of the provided bytes.
"""
return _crc32c(six.ensure_binary(data))
125 changes: 0 additions & 125 deletions deploy/secretmanage

This file was deleted.

7 changes: 5 additions & 2 deletions requirements-dev.txt
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ pytz==2022.1
# django
pyyaml==6.0
# via
# -c requirements.txt
# aspy-yaml
# pre-commit
pyzmq==23.1.0
Expand Down Expand Up @@ -257,8 +258,10 @@ tomli==1.2.3
# build
# coverage
# pep517
typing-extensions==4.1.1
# via locust
typing-extensions==4.5.0
# via
# -c requirements.txt
# locust
uritemplate==3.0.1
# via
# coreapi
Expand Down
3 changes: 2 additions & 1 deletion requirements.in
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ google-cloud-core
django-db-readonly==0.7.0
oauth2client
django-mathfilters
google-cloud-kms==1.4.0
google-cloud-kms==2.0.0
google-crc32c==1.1.2
backoff
backports-abc==0.5
django-model-utils==4.3.1
Expand Down
19 changes: 17 additions & 2 deletions requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -121,14 +121,16 @@ google-cloud-core==1.7.3
# google-cloud-storage
google-cloud-error-reporting==1.4.0
# via -r requirements.in
google-cloud-kms==1.4.0
google-cloud-kms==2.0.0
# via -r requirements.in
google-cloud-logging==2.3.1
# via google-cloud-error-reporting
google-cloud-storage==1.41.1
# via -r requirements.in
google-crc32c==1.1.2
# via google-resumable-media
# via
# -r requirements.in
# google-resumable-media
google-resumable-media==1.3.0
# via google-cloud-storage
googleapis-common-protos[grpc]==1.57.0
Expand Down Expand Up @@ -166,6 +168,10 @@ kombu==5.2.4
# via celery
le-utils==0.1.42
# via -r requirements.in
libcst==0.4.9
# via google-cloud-kms
mypy-extensions==1.0.0
# via typing-inspect
newrelic==6.2.0.156
# via -r requirements.in
oauth2client==4.1.3
Expand All @@ -185,6 +191,7 @@ prompt-toolkit==3.0.23
proto-plus==1.18.1
# via
# google-cloud-error-reporting
# google-cloud-kms
# google-cloud-logging
protobuf==3.20.3
# via
Expand Down Expand Up @@ -222,6 +229,8 @@ pytz==2022.1
# django
# django-postmark
# google-api-core
pyyaml==6.0
# via libcst
redis==4.5.4
# via
# -r requirements.in
Expand Down Expand Up @@ -251,6 +260,12 @@ six==1.16.0
# python-dateutil
sqlparse==0.4.1
# via django
typing-extensions==4.5.0
# via
# libcst
# typing-inspect
typing-inspect==0.8.0
# via libcst
urllib3==1.26.14
# via
# botocore
Expand Down