feat(kms): add import sample (#3574)

* feat(kms): add import sample

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* chore(kms): update copyright years

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Sita Lakshmi Sangameswaran <sitalakshmi@google.com>
Co-authored-by: Patti Shin <pattishin@users.noreply.github.com>

Author: 4 people

kms/checkStateImportJob.js

@@ -0,0 +1,72 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+async function main(
+  projectId = 'my-project',
+  locationId = 'us-east1',
+  keyRingId = 'my-key-ring',
+  importJobId = 'my-import-job'
+) {
+  // [START kms_check_state_import_job]
+  //
+  // TODO(developer): Uncomment these variables before running the sample.
+  //
+  // const projectId = 'my-project';
+  // const locationId = 'us-east1';
+  // const keyRingId = 'my-key-ring';
+  // const importJobId = 'my-import-job';
+
+  // Imports the Cloud KMS library
+  const {KeyManagementServiceClient} = require('@google-cloud/kms');
+
+  // Instantiates a client
+  const client = new KeyManagementServiceClient();
+
+  // Build the import job name
+  const importJobName = client.importJobPath(
+    projectId,
+    locationId,
+    keyRingId,
+    importJobId
+  );
+
+  async function checkStateImportJob() {
+    const [importJob] = await client.getImportJob({
+      name: importJobName,
+    });
+
+    console.log(
+      `Current state of import job ${importJob.name}: ${importJob.state}`
+    );
+    return importJob;
+  }
+
+  return checkStateImportJob();
+  // [END kms_check_state_import_job]
+}
+module.exports.main = main;
+
+/* c8 ignore next 10 */
+if (require.main === module) {
+  main(...process.argv.slice(2)).catch(err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+  process.on('unhandledRejection', err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+}

kms/checkStateImportedKey.js

@@ -0,0 +1,75 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+async function main(
+  projectId = 'my-project',
+  locationId = 'us-east1',
+  keyRingId = 'my-key-ring',
+  cryptoKeyId = 'my-imported-key',
+  cryptoKeyVersionId = '1'
+) {
+  // [START kms_check_state_imported_key]
+  //
+  // TODO(developer): Uncomment these variables before running the sample.
+  //
+  // const projectId = 'my-project';
+  // const locationId = 'us-east1';
+  // const keyRingId = 'my-key-ring';
+  // const cryptoKeyId = 'my-imported-key';
+  // const cryptoKeyVersionId = '1';
+
+  // Imports the Cloud KMS library
+  const {KeyManagementServiceClient} = require('@google-cloud/kms');
+
+  // Instantiates a client
+  const client = new KeyManagementServiceClient();
+
+  // Build the key version name
+  const keyVersionName = client.cryptoKeyVersionPath(
+    projectId,
+    locationId,
+    keyRingId,
+    cryptoKeyId,
+    cryptoKeyVersionId
+  );
+
+  async function checkStateCryptoKeyVersion() {
+    const [keyVersion] = await client.getCryptoKeyVersion({
+      name: keyVersionName,
+    });
+
+    console.log(
+      `Current state of key version ${keyVersion.name}: ${keyVersion.state}`
+    );
+    return keyVersion;
+  }
+
+  return checkStateCryptoKeyVersion();
+  // [END kms_check_state_imported_key]
+}
+module.exports.main = main;
+
+/* c8 ignore next 10 */
+if (require.main === module) {
+  main(...process.argv.slice(2)).catch(err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+  process.on('unhandledRejection', err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+}

kms/createImportJob.js

@@ -0,0 +1,70 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+async function main(
+  projectId = 'my-project',
+  locationId = 'us-east1',
+  keyRingId = 'my-key-ring',
+  id = 'my-import-job'
+) {
+  // [START kms_create_import_job]
+  //
+  // TODO(developer): Uncomment these variables before running the sample.
+  //
+  // const projectId = 'my-project';
+  // const locationId = 'us-east1';
+  // const keyRingId = 'my-key-ring';
+  // const id = 'my-import-job';
+
+  // Imports the Cloud KMS library
+  const {KeyManagementServiceClient} = require('@google-cloud/kms');
+
+  // Instantiates a client
+  const client = new KeyManagementServiceClient();
+
+  // Build the parent key ring name
+  const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);
+
+  async function createImportJob() {
+    const [importJob] = await client.createImportJob({
+      parent: keyRingName,
+      importJobId: id,
+      importJob: {
+        protectionLevel: 'HSM',
+        importMethod: 'RSA_OAEP_3072_SHA256',
+      },
+    });
+
+    console.log(`Created import job: ${importJob.name}`);
+    return importJob;
+  }
+
+  return createImportJob();
+  // [END kms_create_import_job]
+}
+module.exports.main = main;
+
+/* c8 ignore next 10 */
+if (require.main === module) {
+  main(...process.argv.slice(2)).catch(err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+  process.on('unhandledRejection', err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+}

kms/createKeyForImport.js

@@ -0,0 +1,78 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+async function main(
+  projectId = 'my-project',
+  locationId = 'us-east1',
+  keyRingId = 'my-key-ring',
+  id = 'my-imported-key'
+) {
+  // [START kms_create_key_for_import]
+  //
+  // TODO(developer): Uncomment these variables before running the sample.
+  //
+  // const projectId = 'my-project';
+  // const locationId = 'us-east1';
+  // const keyRingId = 'my-key-ring';
+  // const id = 'my-imported-key';
+
+  // Imports the Cloud KMS library
+  const {KeyManagementServiceClient} = require('@google-cloud/kms');
+
+  // Instantiates a client
+  const client = new KeyManagementServiceClient();
+
+  // Build the parent key ring name
+  const keyRingName = client.keyRingPath(projectId, locationId, keyRingId);
+
+  async function createKeyForImport() {
+    const [key] = await client.createCryptoKey({
+      parent: keyRingName,
+      cryptoKeyId: id,
+      cryptoKey: {
+        purpose: 'ENCRYPT_DECRYPT',
+        versionTemplate: {
+          algorithm: 'GOOGLE_SYMMETRIC_ENCRYPTION',
+          protectionLevel: 'HSM',
+        },
+        // Optional: ensure that only imported versions may be added to this
+        // key.
+        importOnly: true,
+      },
+      // Do not allow KMS to generate an initial version of this key.
+      skipInitialVersionCreation: true,
+    });
+
+    console.log(`Created key for import: ${key.name}`);
+    return key;
+  }
+
+  return createKeyForImport();
+  // [END kms_create_key_for_import]
+}
+module.exports.main = main;
+
+/* c8 ignore next 10 */
+if (require.main === module) {
+  main(...process.argv.slice(2)).catch(err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+  process.on('unhandledRejection', err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+}

kms/importManuallyWrappedKey.js

@@ -0,0 +1,98 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+async function main(
+  projectId = 'my-project',
+  locationId = 'us-east1',
+  keyRingId = 'my-key-ring',
+  cryptoKeyId = 'my-imported-key',
+  importJobId = 'my-import-job'
+) {
+  // [START kms_import_manually_wrapped_key]
+  //
+  // TODO(developer): Uncomment these variables before running the sample.
+  //
+  // const projectId = 'my-project';
+  // const locationId = 'us-east1';
+  // const keyRingId = 'my-key-ring';
+  // const cryptoKeyId = 'my-imported-key';
+  // const importJobId = 'my-import-job';
+
+  // Imports the Cloud KMS library
+  const {KeyManagementServiceClient} = require('@google-cloud/kms');
+
+  // Instantiates a client
+  const client = new KeyManagementServiceClient();
+
+  // Build the crypto key and importjob resource names
+  const cryptoKeyName = client.cryptoKeyPath(
+    projectId,
+    locationId,
+    keyRingId,
+    cryptoKeyId
+  );
+  const importJobName = client.importJobPath(
+    projectId,
+    locationId,
+    keyRingId,
+    importJobId
+  );
+
+  async function wrapAndImportKey() {
+    // Generate a 32-byte key to import.
+    const crypto = require('crypto');
+    const targetKey = crypto.randomBytes(32);
+
+    const [importJob] = await client.getImportJob({name: importJobName});
+
+    // Wrap the target key using the import job key
+    const wrappedTargetKey = crypto.publicEncrypt(
+      {
+        key: importJob.publicKey.pem,
+        oaepHash: 'sha256',
+        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+      },
+      targetKey
+    );
+
+    // Import the target key version
+    const [version] = await client.importCryptoKeyVersion({
+      parent: cryptoKeyName,
+      importJob: importJobName,
+      algorithm: 'GOOGLE_SYMMETRIC_ENCRYPTION',
+      wrappedKey: wrappedTargetKey,
+    });
+
+    console.log(`Imported key version: ${version.name}`);
+    return version;
+  }
+
+  return wrapAndImportKey();
+  // [END kms_import_manually_wrapped_key]
+}
+module.exports.main = main;
+
+/* c8 ignore next 10 */
+if (require.main === module) {
+  main(...process.argv.slice(2)).catch(err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+  process.on('unhandledRejection', err => {
+    console.error(err.message);
+    process.exitCode = 1;
+  });
+}