vsitati
diff --git a/‎cloud-sql/postgres/client-side-encryption/README.md‎
Lines changed: 134 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/README.md‎
Lines changed: 134 additions & 0 deletions
diff --git a/‎cloud-sql/postgres/client-side-encryption/noxfile_config.py‎
Lines changed: 38 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/noxfile_config.py‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎cloud-sql/postgres/client-side-encryption/requirements-test.txt‎
Lines changed: 1 addition & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/requirements-test.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cloud-sql/postgres/client-side-encryption/requirements.txt‎
Lines changed: 3 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/requirements.txt‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎cloud-sql/postgres/client-side-encryption/snippets/__init__.py‎ b/‎cloud-sql/postgres/client-side-encryption/snippets/__init__.py‎
diff --git a/‎cloud-sql/postgres/client-side-encryption/snippets/cloud_kms_env_aead.py‎
Lines changed: 48 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/snippets/cloud_kms_env_aead.py‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎cloud-sql/postgres/client-side-encryption/snippets/cloud_kms_env_aead_test.py‎
Lines changed: 40 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/snippets/cloud_kms_env_aead_test.py‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎cloud-sql/postgres/client-side-encryption/snippets/cloud_sql_connection_pool.py‎
Lines changed: 106 additions & 0 deletions b/‎cloud-sql/postgres/client-side-encryption/snippets/cloud_sql_connection_pool.py‎
Lines changed: 106 additions & 0 deletions
@@ -0,0 +1,134 @@
+# Encrypting fields in Cloud SQL - Postgres with Tink
+
+## Before you begin
+
+1. If you haven't already, set up a Python Development Environment by following the [python setup guide](https://cloud.google.com/python/setup) and 
+[create a project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project).
+
+1. Create a 2nd Gen Cloud SQL Instance by following these 
+[instructions](https://cloud.google.com/sql/docs/postgres/create-instance). Note the connection string,
+database user, and database password that you create.
+
+1. Create a database for your application by following these 
+[instructions](https://cloud.google.com/sql/docs/postgres/create-manage-databases). Note the database
+name.
+
+1. Create a KMS key for your application by following these
+[instructions](https://cloud.google.com/kms/docs/creating-keys). Copy the resource name of your
+created key.
+
+1. Create a service account with the 'Cloud SQL Client' permissions by following these 
+[instructions](https://cloud.google.com/sql/docs/postgres/connect-admin-proxy#create-service-account).
+Download a JSON key to use to authenticate your connection.
+
+1. **macOS / Windows only**: Configure gRPC Root Certificates: On some platforms you may need to
+accept the Google server certificates, see instructions for setting up
+[root certs](https://github.com/googleapis/google-cloud-cpp/blob/master/google/cloud/bigtable/examples/README.md#configure-grpc-root-certificates).
+ 
+
+## Running locally
+
+To run this application locally, download and install the `cloud_sql_proxy` by
+following the instructions [here](https://cloud.google.com/sql/docs/postgres/connect-admin-proxy#install).
+
+Instructions are provided below for using the proxy with a TCP connection or a Unix Domain Socket.
+On Linux or Mac OS you can use either option, but on Windows the proxy currently requires a TCP
+connection.
+
+### Launch proxy with TCP
+
+To run the sample locally with a TCP connection, set environment variables and launch the proxy as
+shown below.
+
+#### Linux / Mac OS
+Use these terminal commands to initialize environment variables:
+```bash
+export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service/account/key.json
+export DB_HOST='127.0.0.1:5432'
+export DB_USER='<DB_USER_NAME>'
+export DB_PASS='<DB_PASSWORD>'
+export DB_NAME='<DB_NAME>'
+export GCP_KMS_URI='<GCP_KMS_URI>'
+```
+Note: Saving credentials in environment variables is convenient, but not secure - consider a more
+secure solution such as [Secret Manager](https://cloud.google.com/secret-manager/docs/quickstart) to
+help keep secrets safe.
+
+Then use this command to launch the proxy in the background:
+```bash
+./cloud_sql_proxy -instances=<project-id>:<region>:<instance-name>=tcp:5432 -credential_file=$GOOGLE_APPLICATION_CREDENTIALS &
+```
+
+Note: if you are running a local Postgres server, you will need to turn it off before running the command above or use a different port.
+
+#### Windows/PowerShell
+Use these PowerShell commands to initialize environment variables:
+```powershell
+$env:GOOGLE_APPLICATION_CREDENTIALS="<CREDENTIALS_JSON_FILE>"
+$env:DB_HOST="127.0.0.1:5432"
+$env:DB_USER="<DB_USER_NAME>"
+$env:DB_PASS="<DB_PASSWORD>"
+$env:DB_NAME="<DB_NAME>"
+$env:GCP_KMS_URI='<GCP_KMS_URI>'
+```
+Note: Saving credentials in environment variables is convenient, but not secure - consider a more
+secure solution such as [Secret Manager](https://cloud.google.com/secret-manager/docs/quickstart) to
+help keep secrets safe.
+
+Then use this command to launch the proxy in a separate PowerShell session:
+```powershell
+Start-Process -filepath "C:\<path to proxy exe>" -ArgumentList "-instances=<project-id>:<region>:<instance-name>=tcp:5432 -credential_file=<CREDENTIALS_JSON_FILE>"
+```
+
+Note: if you are running a local Postgres server, you will need to turn it off before running the command above or use a different port.
+
+### Launch proxy with Unix Domain Socket
+NOTE: this option is currently only supported on Linux and Mac OS. Windows users should use the
+[Launch proxy with TCP](#launch-proxy-with-tcp) option.
+
+To use a Unix socket, you'll need to create a directory for the sockets and
+initialize an environment variable containing the directory you just created.
+For example:
+
+```bash
+export DB_SOCKET_DIR=$(mktemp -d cloudsql)
+```
+
+Use these terminal commands to initialize other environment variables as well:
+```bash
+export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service/account/key.json
+export INSTANCE_CONNECTION_NAME='<MY-PROJECT>:<INSTANCE-REGION>:<INSTANCE-NAME>'
+export DB_USER='<DB_USER_NAME>'
+export DB_PASS='<DB_PASSWORD>'
+export DB_NAME='<DB_NAME>'
+export GCP_KMS_URI='<GCP_KMS_URI>'
+```
+Note: Saving credentials in environment variables is convenient, but not secure - consider a more
+secure solution such as [Secret Manager](https://cloud.google.com/secret-manager/docs/quickstart) to
+help keep secrets safe.
+
+Then use this command to launch the proxy in the background:
+```bash
+./cloud_sql_proxy -dir=$DB_SOCKET_DIR --instances=$INSTANCE_CONNECTION_NAME --credential_file=$GOOGLE_APPLICATION_CREDENTIALS &
+```
+
+### Install requirements
+
+Next, setup install the requirements into a virtual enviroment:
+```bash
+virtualenv --python python3 env
+source env/bin/activate
+pip install -r requirements.txt
+```
+
+### Run the demo
+
+Add new votes:
+```bash
+python snippets/encrypt_and_insert_data.py 
+```
+
+View the collected votes:
+```bash
+python snippets/query_and_decrypt_data.py 
+```
@@ -0,0 +1,38 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default TEST_CONFIG_OVERRIDE for python repos.
+
+# You can copy this file into your directory, then it will be inported from
+# the noxfile.py.
+
+# The source of truth:
+# https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/noxfile_config.py
+
+TEST_CONFIG_OVERRIDE = {
+    # You can opt out from the test for specific Python versions.
+    "ignored_versions": ["2.7", "3.6"],
+    # Old samples are opted out of enforcing Python type hints
+    # All new samples should feature them
+    "enforce_type_hints": True,
+    # An envvar key for determining the project id to use. Change it
+    # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a
+    # build specific Cloud project. You can also use your own string
+    # to use your own Cloud project.
+    "gcloud_project_env": "GOOGLE_CLOUD_PROJECT",
+    # 'gcloud_project_env': 'BUILD_SPECIFIC_GCLOUD_PROJECT',
+    # A dictionary you want to inject into your test. Don't put any
+    # secrets here. These values will override predefined values.
+    "envs": {},
+}
@@ -0,0 +1 @@
+pytest==6.2.3
@@ -0,0 +1,3 @@
+SQLAlchemy==1.4.4
+pg8000==1.19.2
+tink==1.5.0
@@ -0,0 +1,48 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START cloud_sql_postgres_cse_key]
+import logging
+
+import tink
+from tink import aead
+from tink.integration import gcpkms
+
+logger = logging.getLogger(__name__)
+
+
+def init_tink_env_aead(
+        key_uri: str,
+        credentials: str) -> tink.aead.KmsEnvelopeAead:
+    aead.register()
+
+    try:
+        gcp_client = gcpkms.GcpKmsClient(key_uri, credentials)
+        gcp_aead = gcp_client.get_aead(key_uri)
+    except tink.TinkError as e:
+        logger.error("Error initializing GCP client: %s", e)
+        raise e
+
+    # Create envelope AEAD primitive using AES256 GCM for encrypting the data
+    # This key should only be used for client-side encryption to ensure authenticity and integrity
+    # of data.
+    key_template = aead.aead_key_templates.AES256_GCM
+    env_aead = aead.KmsEnvelopeAead(key_template, gcp_aead)
+
+    print(f"Created envelope AEAD Primitive using KMS URI: {key_uri}")
+
+    return env_aead
+
+
+# [END cloud_sql_postgres_cse_key]
@@ -0,0 +1,40 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+import pytest
+
+from snippets.cloud_kms_env_aead import init_tink_env_aead
+
+
+@pytest.fixture(name="kms_uri")
+def setup() -> str:
+    kms_uri = "gcp-kms://" + os.environ["CLOUD_KMS_KEY"]
+
+    yield kms_uri
+
+
+def test_cloud_kms_env_aead(
+        capsys: pytest.CaptureFixture, kms_uri: str) -> None:
+    credentials = os.environ.get("GOOGLE_APPLICATION_CREDENTIALS", None)
+    if credentials is None:
+        raise Exception(
+            "Environment variable GOOGLE_APPLICATION_CREDENTIALS is not set")
+
+    # Create env_aead primitive
+    init_tink_env_aead(kms_uri, credentials)
+
+    captured = capsys.readouterr().out
+    assert f"Created envelope AEAD Primitive using KMS URI: {kms_uri}" in captured
@@ -0,0 +1,106 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START cloud_sql_postgres_cse_db]
+import sqlalchemy
+
+
+def init_tcp_connection_engine(
+    db_user: str, db_pass: str, db_name: str, db_host: str
+) -> sqlalchemy.engine.base.Engine:
+    # Remember - storing secrets in plaintext is potentially unsafe. Consider using
+    # something like https://cloud.google.com/secret-manager/docs/overview to help keep
+    # secrets secret.
+
+    # Extract host and port from db_host
+    host_args = db_host.split(":")
+    db_hostname, db_port = host_args[0], int(host_args[1])
+
+    pool = sqlalchemy.create_engine(
+        # Equivalent URL:
+        # postgresql+pg8000://<db_user>:<db_pass>@<db_host>:<db_port>/<db_name>
+        sqlalchemy.engine.url.URL(
+            drivername="postgresql+pg8000",
+            username=db_user,  # e.g. "my-database-user"
+            password=db_pass,  # e.g. "my-database-password"
+            host=db_hostname,  # e.g. "127.0.0.1"
+            port=db_port,  # e.g. 5432
+            database=db_name,  # e.g. "my-database-name"
+        ),
+    )
+    print("Created TCP connection pool")
+    return pool
+
+
+def init_unix_connection_engine(
+    db_user: str,
+    db_pass: str,
+    db_name: str,
+    cloud_sql_connection_name: str,
+    db_socket_dir: str,
+) -> sqlalchemy.engine.base.Engine:
+    # Remember - storing secrets in plaintext is potentially unsafe. Consider using
+    # something like https://cloud.google.com/secret-manager/docs/overview to help keep
+    # secrets secret.
+
+    pool = sqlalchemy.create_engine(
+        # Equivalent URL:
+        # mpostgresql+pg8000://<db_user>:<db_pass>@/<db_name>?unix_socket=<socket_path>/<cloud_sql_instance_name>
+        sqlalchemy.engine.url.URL(
+            drivername="postgresql+pg8000",
+            username=db_user,  # e.g. "my-database-user"
+            password=db_pass,  # e.g. "my-database-password"
+            database=db_name,  # e.g. "my-database-name"
+            query={
+                "unix_sock": "{}/{}/.s.PGSQL.5432".format(
+                    db_socket_dir,  # e.g. "/cloudsql"
+                    cloud_sql_connection_name)  # i.e "<PROJECT-NAME>:<INSTANCE-REGION>:<INSTANCE-NAME>"
+            }
+        ),
+    )
+    print("Created Unix socket connection pool")
+    return pool
+
+
+def init_db(
+    db_user: str,
+    db_pass: str,
+    db_name: str,
+    table_name: str,
+    cloud_sql_connection_name: str = None,
+    db_socket_dir: str = None,
+    db_host: str = None,
+) -> sqlalchemy.engine.base.Engine:
+
+    if db_host:
+        db = init_tcp_connection_engine(db_user, db_pass, db_name, db_host)
+    else:
+        db = init_unix_connection_engine(
+            db_user, db_pass, db_name, cloud_sql_connection_name, db_socket_dir
+        )
+
+    # Create tables (if they don't already exist)
+    with db.connect() as conn:
+        conn.execute(
+            f"CREATE TABLE IF NOT EXISTS {table_name} "
+            "( vote_id SERIAL NOT NULL, time_cast timestamp NOT NULL, "
+            "team VARCHAR(6) NOT NULL, voter_email BYTEA, "
+            "PRIMARY KEY (vote_id) );"
+        )
+
+    print(f"Created table {table_name} in db {db_name}")
+    return db
+
+
+# [END cloud_sql_postgres_cse_db]
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+SQLAlchemy==1.4.4`
	`2`	`+pg8000==1.19.2`
	`3`	`+tink==1.5.0`