unforced
diff --git a/‎cloud-sql/sql-server/client-side-encryption/README.md‎
Lines changed: 95 additions & 0 deletions b/‎cloud-sql/sql-server/client-side-encryption/README.md‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎cloud-sql/sql-server/client-side-encryption/noxfile_config.py‎
Lines changed: 38 additions & 0 deletions b/‎cloud-sql/sql-server/client-side-encryption/noxfile_config.py‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎cloud-sql/sql-server/client-side-encryption/requirements-test.txt‎
Lines changed: 1 addition & 0 deletions b/‎cloud-sql/sql-server/client-side-encryption/requirements-test.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cloud-sql/sql-server/client-side-encryption/requirements.txt‎
Lines changed: 4 additions & 0 deletions b/‎cloud-sql/sql-server/client-side-encryption/requirements.txt‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cloud-sql/sql-server/client-side-encryption/snippets/__init__.py‎ b/‎cloud-sql/sql-server/client-side-encryption/snippets/__init__.py‎
diff --git a/‎cloud-sql/sql-server/client-side-encryption/snippets/cloud_kms_env_aead.py‎
Lines changed: 48 additions & 0 deletions b/‎cloud-sql/sql-server/client-side-encryption/snippets/cloud_kms_env_aead.py‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎cloud-sql/sql-server/client-side-encryption/snippets/cloud_kms_env_aead_test.py‎
Lines changed: 37 additions & 0 deletions b/‎cloud-sql/sql-server/client-side-encryption/snippets/cloud_kms_env_aead_test.py‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎cloud-sql/sql-server/client-side-encryption/snippets/cloud_sql_connection_pool.py‎
Lines changed: 83 additions & 0 deletions b/‎cloud-sql/sql-server/client-side-encryption/snippets/cloud_sql_connection_pool.py‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎cloud-sql/sql-server/client-side-encryption/snippets/cloud_sql_connection_pool_test.py‎
Lines changed: 76 additions & 0 deletions b/‎cloud-sql/sql-server/client-side-encryption/snippets/cloud_sql_connection_pool_test.py‎
Lines changed: 76 additions & 0 deletions
@@ -0,0 +1,95 @@
+# Encrypting fields in Cloud SQL - MySQL with Tink
+
+## Before you begin
+
+1. If you haven't already, set up a Python Development Environment by following the [python setup guide](https://cloud.google.com/python/setup) and 
+[create a project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project).
+
+1. Create a 2nd Gen Cloud SQL Instance by following these 
+[instructions](https://cloud.google.com/sql/docs/sqlserver/create-instance). Note the connection string,
+database user, and database password that you create.
+
+1. Create a database for your application by following these 
+[instructions](https://cloud.google.com/sql/docs/sqlserver/create-manage-databases). Note the database
+name.
+
+1. Create a KMS key for your application by following these
+[instructions](https://cloud.google.com/kms/docs/creating-keys). Copy the resource name of your
+created key.
+
+1. Create a service account with the 'Cloud SQL Client' permissions by following these 
+[instructions](https://cloud.google.com/sql/docs/sqlserver/connect-admin-proxy#create-service-account).
+Download a JSON key to use to authenticate your connection.
+
+1. **macOS / Windows only**: Configure gRPC Root Certificates: On some platforms you may need to
+accept the Google server certificates, see instructions for setting up
+[root certs](https://github.com/googleapis/google-cloud-cpp/blob/master/google/cloud/bigtable/examples/README.md#configure-grpc-root-certificates).
+
+## Running locally
+
+To run this application locally, download and install the `cloud_sql_proxy` by
+following the instructions
+[here](https://cloud.google.com/sql/docs/sqlserver/connect-admin-proxy#install).
+
+Instructions are provided below for using the proxy with a TCP connection or a Unix Domain Socket.
+On Linux or Mac OS you can use either option, but on Windows the proxy currently requires a TCP
+connection.
+
+### Launch proxy with TCP
+
+To run the sample locally with a TCP connection, set environment variables and launch the proxy as
+shown below.
+
+#### Linux / Mac OS
+Use these terminal commands to initialize environment variables:
+```bash
+export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service/account/key.json
+export DB_HOST='127.0.0.1:1433'
+export DB_USER='<DB_USER_NAME>'
+export DB_PASS='<DB_PASSWORD>'
+export DB_NAME='<DB_NAME>'
+export GCP_KMS_URI='<GCP_KMS_URI>'
+```
+Note: Saving credentials in environment variables is convenient, but not secure - consider a more
+secure solution such as [Secret Manager](https://cloud.google.com/secret-manager/docs/quickstart) to
+help keep secrets safe.
+
+Then use this command to launch the proxy in the background:
+```bash
+./cloud_sql_proxy -instances=<project-id>:<region>:<instance-name>=tcp:1433 -credential_file=$GOOGLE_APPLICATION_CREDENTIALS &
+```
+
+#### Windows/PowerShell
+Use these PowerShell commands to initialize environment variables:
+```powershell
+$env:GOOGLE_APPLICATION_CREDENTIALS="<CREDENTIALS_JSON_FILE>"
+$env:DB_HOST="127.0.0.1:1433"
+$env:DB_USER="<DB_USER_NAME>"
+$env:DB_PASS="<DB_PASSWORD>"
+$env:DB_NAME="<DB_NAME>"
+$env:GCP_KMS_URI='<GCP_KMS_URI>'
+```
+Note: Saving credentials in environment variables is convenient, but not secure - consider a more
+secure solution such as [Secret Manager](https://cloud.google.com/secret-manager/docs/quickstart) to
+help keep secrets safe.
+
+Then use this command to launch the proxy in a separate PowerShell session:
+```powershell
+Start-Process -filepath "C:\<path to proxy exe>" -ArgumentList "-instances=<project-id>:<region>:<instance-name>=tcp:1433 -credential_file=<CREDENTIALS_JSON_FILE>"
+```
+
+### Install requirements
+
+Next, setup install the requirements into a virtual enviroment:
+```bash
+virtualenv --python python3 env
+source env/bin/activate
+pip install -r requirements.txt
+```
+
+### Run the demo
+
+Add new votes and view the collected votes:
+```bash
+python snippets/query_and_decrypt_data.py 
+```
@@ -0,0 +1,38 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default TEST_CONFIG_OVERRIDE for python repos.
+
+# You can copy this file into your directory, then it will be inported from
+# the noxfile.py.
+
+# The source of truth:
+# https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/noxfile_config.py
+
+TEST_CONFIG_OVERRIDE = {
+    # You can opt out from the test for specific Python versions.
+    "ignored_versions": ["2.7", "3.6"],
+    # Old samples are opted out of enforcing Python type hints
+    # All new samples should feature them
+    "enforce_type_hints": True,
+    # An envvar key for determining the project id to use. Change it
+    # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a
+    # build specific Cloud project. You can also use your own string
+    # to use your own Cloud project.
+    "gcloud_project_env": "GOOGLE_CLOUD_PROJECT",
+    # 'gcloud_project_env': 'BUILD_SPECIFIC_GCLOUD_PROJECT',
+    # A dictionary you want to inject into your test. Don't put any
+    # secrets here. These values will override predefined values.
+    "envs": {},
+}
@@ -0,0 +1 @@
+pytest==6.2.2
@@ -0,0 +1,4 @@
+SQLAlchemy==1.4.4
+python-tds==1.10.0
+sqlalchemy-pytds==0.3.1
+tink==1.5.0
@@ -0,0 +1,48 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START cloud_sql_sqlserver_cse_key]
+import logging
+
+import tink
+from tink import aead
+from tink.integration import gcpkms
+
+logger = logging.getLogger(__name__)
+
+
+def init_tink_env_aead(
+        key_uri: str,
+        credentials: str) -> tink.aead.KmsEnvelopeAead:
+    aead.register()
+
+    try:
+        gcp_client = gcpkms.GcpKmsClient(key_uri, credentials)
+        gcp_aead = gcp_client.get_aead(key_uri)
+    except tink.TinkError as e:
+        logger.error("Error initializing GCP client: %s", e)
+        raise e
+
+    # Create envelope AEAD primitive using AES256 GCM for encrypting the data
+    # This key should only be used for client-side encryption to ensure authenticity and integrity
+    # of data.
+    key_template = aead.aead_key_templates.AES256_GCM
+    env_aead = aead.KmsEnvelopeAead(key_template, gcp_aead)
+
+    print(f"Created envelope AEAD Primitive using KMS URI: {key_uri}")
+
+    return env_aead
+
+
+# [END cloud_sql_sqlserver_cse_key]
@@ -0,0 +1,37 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+import pytest
+
+from snippets.cloud_kms_env_aead import init_tink_env_aead
+
+
+@pytest.fixture(name="kms_uri")
+def setup() -> str:
+    kms_uri = "gcp-kms://" + os.environ["CLOUD_KMS_KEY"]
+
+    yield kms_uri
+
+
+def test_cloud_kms_env_aead(
+        capsys: pytest.CaptureFixture, kms_uri: str) -> None:
+    credentials = os.environ.get("GOOGLE_APPLICATION_CREDENTIALS", "")
+
+    # Create env_aead primitive
+    init_tink_env_aead(kms_uri, credentials)
+
+    captured = capsys.readouterr().out
+    assert f"Created envelope AEAD Primitive using KMS URI: {kms_uri}" in captured
@@ -0,0 +1,83 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START cloud_sql_sqlserver_cse_db]
+import pytds
+import sqlalchemy
+from sqlalchemy import Column
+from sqlalchemy import DateTime
+from sqlalchemy import Integer
+from sqlalchemy import Table
+
+
+def init_tcp_connection_engine(
+    db_user: str, db_pass: str, db_name: str, db_host: str
+) -> sqlalchemy.engine.base.Engine:
+    # Remember - storing secrets in plaintext is potentially unsafe. Consider using
+    # something like https://cloud.google.com/secret-manager/docs/overview to help keep
+    # secrets secret.
+
+    # Extract host and port from db_host
+    host_args = db_host.split(":")
+    db_hostname, db_port = host_args[0], int(host_args[1])
+
+    def connect_with_pytds() -> pytds.Connection:
+        return pytds.connect(
+            db_hostname,  # e.g. "127.0.0.1"
+            user=db_user,  # e.g. "my-database-user"
+            password=db_pass,  # e.g. "my-database-password"
+            database=db_name,  # e.g. "my-database-name"
+            port=db_port,  # e.g. 1433
+            bytes_to_unicode=False  # disables automatic decoding of bytes
+        )
+
+    pool = sqlalchemy.create_engine(
+        # This allows us to use the pytds sqlalchemy dialect, but also set the
+        # bytes_to_unicode flag to False, which is not supported by the dialect
+        "mssql+pytds://localhost",
+        creator=connect_with_pytds,
+    )
+
+    print("Created TCP connection pool")
+    return pool
+
+
+def init_db(
+    db_user: str,
+    db_pass: str,
+    db_name: str,
+    db_host: str,
+    table_name: str,
+) -> sqlalchemy.engine.base.Engine:
+
+    db = init_tcp_connection_engine(db_user, db_pass, db_name, db_host)
+
+    # Create tables (if they don't already exist)
+    if not db.has_table(table_name):
+        metadata = sqlalchemy.MetaData(db)
+        Table(
+            table_name,
+            metadata,
+            Column("vote_id", Integer, primary_key=True, nullable=False),
+            Column("voter_email", sqlalchemy.types.VARBINARY, nullable=False),
+            Column("time_cast", DateTime, nullable=False),
+            Column("team", sqlalchemy.types.VARCHAR(6), nullable=False),
+        )
+        metadata.create_all()
+
+    print(f"Created table {table_name} in db {db_name}")
+    return db
+
+
+# [END cloud_sql_sqlserver_cse_db]
@@ -0,0 +1,76 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+from typing import Dict
+import uuid
+
+import pytest
+
+from snippets.cloud_sql_connection_pool import (
+    init_db,
+    init_tcp_connection_engine,
+)
+
+
+@pytest.fixture(name="conn_vars")
+def setup() -> Dict[str, str]:
+    try:
+        conn_vars = {}
+        conn_vars["db_user"] = os.environ["SQLSERVER_USER"]
+        conn_vars["db_pass"] = os.environ["SQLSERVER_PASSWORD"]
+        conn_vars["db_name"] = os.environ["SQLSERVER_DATABASE"]
+        conn_vars["db_host"] = os.environ["SQLSERVER_HOST"]
+        conn_vars["instance_conn_name"] = os.environ["SQLSERVER_INSTANCE"]
+        conn_vars["db_socket_dir"] = os.getenv("DB_SOCKET_DIR", "/cloudsql")
+    except KeyError:
+        raise Exception(
+            "The following env variables must be set to run these tests:"
+            "SQLSERVER_USER, SQLSERVER_PASSWORD, SQLSERVER_DATABASE, SQLSERVER_HOST, "
+            "SQLSERVER_INSTANCE")
+    else:
+        yield conn_vars
+
+
+def test_init_tcp_connection_engine(
+        capsys: pytest.CaptureFixture,
+        conn_vars: Dict[str, str]) -> None:
+
+    init_tcp_connection_engine(
+        db_user=conn_vars["db_user"],
+        db_name=conn_vars["db_name"],
+        db_pass=conn_vars["db_pass"],
+        db_host=conn_vars["db_host"],
+    )
+
+    captured = capsys.readouterr().out
+    assert "Created TCP connection pool" in captured
+
+
+def test_init_db(
+        capsys: pytest.CaptureFixture,
+        conn_vars: Dict[str, str]) -> None:
+
+    table_name = f"votes_{uuid.uuid4().hex}"
+
+    init_db(
+        db_user=conn_vars["db_user"],
+        db_name=conn_vars["db_name"],
+        db_pass=conn_vars["db_pass"],
+        db_host=conn_vars["db_host"],
+        table_name=table_name,
+    )
+
+    captured = capsys.readouterr().out
+    assert f"Created table {table_name} in db {conn_vars['db_name']}" in captured