ó 9(Zc@swdZddlZddlZddlZddlZddlmZddlZddl m Z m Z m Z m Z ddlmZddlmZddlmZddlmZmZmZmZdd lmZmZmZejeƒZd Z ej!d e"ƒd efd „ƒYƒZ#defd„ƒYZ$ej!d e"ƒdefd„ƒYƒZ%defd„ƒYZ&dS(s)Master Key Providers for use with AWS KMSiÿÿÿÿN(t ClientError(tDecryptKeyErrortEncryptKeyErrortGenerateKeyErrortUnknownRegionError(tUSER_AGENT_SUFFIX(tto_str(textend_user_agent_suffix(t MasterKeytMasterKeyConfigtMasterKeyProvidertMasterKeyProviderConfig(tDataKeytEncryptedDataKeyt MasterKeyInfosaws-kmsthashtKMSMasterKeyProviderConfigc Bs¿eZdZejdedejejj ƒdej j ejj ƒƒZ ejdedeje ƒdej j e ƒde ƒZejdedeje ƒdej j e ƒde ƒZRS(shConfiguration object for KMSMasterKeyProvider objects. :param botocore_session: botocore session object (optional) :type botocore_session: botocore.session.Session :param list key_ids: List of KMS CMK IDs with which to pre-populate provider (optional) :param list region_names: List of regions for which to pre-populate clients (optional) Rtdefaultt validatortconvert(t__name__t __module__t__doc__tattrtibtTruetFactorytbotocoretsessiontSessiont validatorst instance_oftbotocore_sessionttupletkey_idst region_names(((sP/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/key_providers/kms.pyR$s    tKMSMasterKeyProvidercBsVeZdZeZeZdZd„Z d„Z d„Z d„Z d„Z d„ZRS(s÷Master Key Provider for KMS. >>> import aws_encryption_sdk >>> kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[ ... 'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222', ... 'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333' ... ]) >>> kms_key_provider.add_master_key('arn:aws:kms:ap-northeast-1:4444444444444:alias/another-key') .. note:: If no botocore_session is provided, the default botocore session will be used. .. note:: If multiple AWS Identities are needed, one of two options are available: * Additional KMSMasterKeyProvider instances may be added to the primary MasterKeyProvider. * KMSMasterKey instances may be manually created and added to this KMSMasterKeyProvider. :param config: Configuration object (optional) :type config: aws_encryption_sdk.key_providers.kms.KMSMasterKeyProviderConfig :param botocore_session: botocore session object (optional) :type botocore_session: botocore.session.Session :param list key_ids: List of KMS CMK IDs with which to pre-populate provider (optional) :param list region_names: List of regions for which to pre-populate clients (optional) cKsi|_|jƒdS(sPrepares mutable attributes.N(t_regional_clientst_process_config(tselftkwargs((sP/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/key_providers/kms.pyt__init__as cCs•|jjr"|j|jjƒn|jjrW|j|jjƒ|jjd|_n:|jjjdƒ|_|jdk r‘|j |jƒndS(sITraverses the config and adds master keys and regional clients as needed.itregionN( tconfigR"tadd_master_keys_from_listR#tadd_regional_clients_from_listtdefault_regionR tget_config_variabletNonetadd_regional_client(R'((sP/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/key_providers/kms.pyR&fs  cCsG||jkrCtjjd|d|jjƒjdƒ|j|RR+R5tmetatuser_agent_extraR(R'R(((sP/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/key_providers/kms.pyR)Èsc Csüi|jd6|jd6}|dk r3||dt kdf_input_lenR0R+RDR5tgenerate_data_keyRtKeyErrorR9t_LOGGERt exceptionRR RRA( R't algorithmtencryption_contextt kms_paramstresponset plaintextt ciphertextR:t error_message((sP/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/key_providers/kms.pyt_generate_data_keyÐs,           c Csæi|jd6|jd6}|r-||dRQR+RDR5tencryptRRUR9RVRWRR RRA( R'RQRXRYRZR[R]R:R^((sP/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/key_providers/kms.pyt_encrypt_data_keyôs(         cCsÌi|jd6}|r#||dRVRWRR RO(R'RRRXRYRZR[R\R^((sP/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/key_providers/kms.pyt_decrypt_data_keys"      N( RRRR@RAR=RBR)R0R_RaRc(((sP/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/key_providers/kms.pyR<ºs   $ %('RtloggingRR4tbotocore.clientRtbotocore.exceptionsRtbotocore.sessiontaws_encryption_sdk.exceptionsRRRRtaws_encryption_sdk.identifiersRt#aws_encryption_sdk.internal.str_opsRt!aws_encryption_sdk.internal.utilsRt%aws_encryption_sdk.key_providers.baseRR R R taws_encryption_sdk.structuresR R Rt getLoggerRRVR@tsRRR$R=R<(((sP/tmp/pip-build-wDUJoH/aws-encryption-sdk/aws_encryption_sdk/key_providers/kms.pyt s(     ""e