kms: add attestation and rotation schedule sample (GoogleCloudPlatform#2784)

sethvargo · web-flow · commit c70bdcdafe70 · 2020-04-24T12:39:24.000-04:00
diff --git a/kms/src/main/java/kms/GetKeyVersionAttestation.java b/kms/src/main/java/kms/GetKeyVersionAttestation.java
@@ -0,0 +1,70 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_get_key_version_attestation]
+import com.google.cloud.kms.v1.CryptoKeyVersion;
+import com.google.cloud.kms.v1.CryptoKeyVersionName;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import com.google.cloud.kms.v1.KeyOperationAttestation;
+import java.io.IOException;
+import java.util.Base64;
+
+public class GetKeyVersionAttestation {
+
+  public void getKeyVersionAttestation() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    String keyRingId = "my-key-ring";
+    String keyId = "my-key";
+    String keyVersionId = "123";
+    getKeyVersionAttestation(projectId, locationId, keyRingId, keyId, keyVersionId);
+  }
+
+  // Get the attestations for a key version
+  public void getKeyVersionAttestation(
+      String projectId, String locationId, String keyRingId, String keyId, String keyVersionId)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+      // Build the name from the project, location, key ring, and keyId.
+      CryptoKeyVersionName keyVersionName =
+          CryptoKeyVersionName.of(projectId, locationId, keyRingId, keyId, keyVersionId);
+
+      // Get the key version.
+      CryptoKeyVersion keyVersion = client.getCryptoKeyVersion(keyVersionName);
+
+      // Only HSM keys have an attestation. For other key types, the attestion
+      // will be nil.
+      if (!keyVersion.hasAttestation()) {
+        System.out.println("no attestation");
+        return;
+      }
+
+      // Print the attestation, base64-encoded.
+      KeyOperationAttestation attestation = keyVersion.getAttestation();
+      String format = attestation.getFormat().toString();
+      byte[] content = attestation.getContent().toByteArray();
+      System.out.printf("%s: %s", format, Base64.getEncoder().encodeToString(content));
+    }
+  }
+}
+// [END kms_get_key_version_attestation]
diff --git a/kms/src/main/java/kms/UpdateKeyRemoveLabels.java b/kms/src/main/java/kms/UpdateKeyRemoveLabels.java
@@ -50,7 +50,7 @@ public void updateKeyRemoveLabels(
       CryptoKey key = CryptoKey.newBuilder().setName(cryptoKeyName.toString()).build();
 
       // Construct the field mask.
-      FieldMask fieldMask = FieldMaskUtil.fromString("rotation_period,next_rotation_time");
+      FieldMask fieldMask = FieldMaskUtil.fromString("labels");
 
       // Create the key.
       CryptoKey createdKey = client.updateCryptoKey(key, fieldMask);
diff --git a/kms/src/main/java/kms/UpdateKeyRemoveRotation.java b/kms/src/main/java/kms/UpdateKeyRemoveRotation.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package kms;
+
+// [START kms_update_key_remove_rotation_schedule]
+import com.google.cloud.kms.v1.CryptoKey;
+import com.google.cloud.kms.v1.CryptoKeyName;
+import com.google.cloud.kms.v1.KeyManagementServiceClient;
+import com.google.protobuf.FieldMask;
+import com.google.protobuf.util.FieldMaskUtil;
+import java.io.IOException;
+
+public class UpdateKeyRemoveRotation {
+
+  public void updateKeyRemoveRotation() throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String projectId = "your-project-id";
+    String locationId = "us-east1";
+    String keyRingId = "my-key-ring";
+    String keyId = "my-key";
+    updateKeyRemoveRotation(projectId, locationId, keyRingId, keyId);
+  }
+
+  // Update a key to remove all labels.
+  public void updateKeyRemoveRotation(
+      String projectId, String locationId, String keyRingId, String keyId) throws IOException {
+    // Initialize client that will be used to send requests. This client only
+    // needs to be created once, and can be reused for multiple requests. After
+    // completing all of your requests, call the "close" method on the client to
+    // safely clean up any remaining background resources.
+    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+      // Build the name from the project, location, key ring, and keyId.
+      CryptoKeyName cryptoKeyName = CryptoKeyName.of(projectId, locationId, keyRingId, keyId);
+
+      // Build an empty key with no labels.
+      CryptoKey key =
+          CryptoKey.newBuilder()
+              .setName(cryptoKeyName.toString())
+              .clearRotationPeriod()
+              .clearNextRotationTime()
+              .build();
+
+      // Construct the field mask.
+      FieldMask fieldMask = FieldMaskUtil.fromString("rotation_period,next_rotation_time");
+
+      // Create the key.
+      CryptoKey createdKey = client.updateCryptoKey(key, fieldMask);
+      System.out.printf("Updated key %s%n", createdKey.getName());
+    }
+  }
+}
+// [END kms_update_key_remove_rotation_schedule]
diff --git a/kms/src/test/java/kms/SnippetsIT.java b/kms/src/test/java/kms/SnippetsIT.java
@@ -33,6 +33,7 @@
 import com.google.cloud.kms.v1.KeyRingName;
 import com.google.cloud.kms.v1.ListCryptoKeyVersionsRequest;
 import com.google.cloud.kms.v1.LocationName;
+import com.google.cloud.kms.v1.ProtectionLevel;
 import com.google.cloud.kms.v1.PublicKey;
 import com.google.common.base.Strings;
 import com.google.protobuf.ByteString;
@@ -74,6 +75,7 @@ public class SnippetsIT {
   private static String ASYMMETRIC_DECRYPT_KEY_ID;
   private static String ASYMMETRIC_SIGN_EC_KEY_ID;
   private static String ASYMMETRIC_SIGN_RSA_KEY_ID;
+  private static String HSM_KEY_ID;
   private static String SYMMETRIC_KEY_ID;
 
   private ByteArrayOutputStream stdOut;
@@ -94,6 +96,9 @@ public static void beforeAll() throws IOException {
     ASYMMETRIC_SIGN_RSA_KEY_ID = getRandomId();
     createAsymmetricSignRsaKey(ASYMMETRIC_SIGN_RSA_KEY_ID);
 
+    HSM_KEY_ID = getRandomId();
+    createHsmKey(HSM_KEY_ID);
+
     SYMMETRIC_KEY_ID = getRandomId();
     createSymmetricKey(SYMMETRIC_KEY_ID);
   }
@@ -208,6 +213,24 @@ private static CryptoKey createAsymmetricSignRsaKey(String keyId) throws IOExcep
     }
   }
 
+  private static CryptoKey createHsmKey(String keyId) throws IOException {
+    try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
+      CryptoKey key =
+          CryptoKey.newBuilder()
+              .setPurpose(CryptoKeyPurpose.ENCRYPT_DECRYPT)
+              .setVersionTemplate(
+                  CryptoKeyVersionTemplate.newBuilder()
+                      .setAlgorithm(CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION)
+                      .setProtectionLevel(ProtectionLevel.HSM)
+                      .build())
+              .putLabels("foo", "bar")
+              .putLabels("zip", "zap")
+              .build();
+      CryptoKey createdKey = client.createCryptoKey(getKeyRingName(), keyId, key);
+      return createdKey;
+    }
+  }
+
   private static CryptoKey createSymmetricKey(String keyId) throws IOException {
     try (KeyManagementServiceClient client = KeyManagementServiceClient.create()) {
       CryptoKey key =
@@ -409,6 +432,13 @@ public void testEncryptSymmetric() throws IOException {
     assertThat(stdOut.toString()).contains("Ciphertext");
   }
 
+  @Test
+  public void testGetKeyVersionAttestation() throws IOException {
+    new GetKeyVersionAttestation()
+        .getKeyVersionAttestation(PROJECT_ID, LOCATION_ID, KEY_RING_ID, HSM_KEY_ID, "1");
+    assertThat(stdOut.toString()).contains("CAVIUM");
+  }
+
   @Test
   public void testGetKeyLabels() throws IOException {
     new GetKeyLabels().getKeyLabels(PROJECT_ID, LOCATION_ID, KEY_RING_ID, SYMMETRIC_KEY_ID);
@@ -466,6 +496,13 @@ public void testUpdateKeyRemoveLabels() throws IOException {
     assertThat(stdOut.toString()).contains("Updated key");
   }
 
+  @Test
+  public void testUpdateKeyRemoveRotation() throws IOException {
+    new UpdateKeyRemoveRotation()
+        .updateKeyRemoveRotation(PROJECT_ID, LOCATION_ID, KEY_RING_ID, SYMMETRIC_KEY_ID);
+    assertThat(stdOut.toString()).contains("Updated key");
+  }
+
   @Test
   public void testUpdateKeySetPrimary() throws IOException {
     new UpdateKeySetPrimary()
