]hddlZddlZddlZddlZddlmZddlmZddlm Z m Z ddl m Z m Z mZmZmZmZmZddl mZddlmZddlmZddlmZdd lmZdd lmZdd lmZdd l m!Z!dd l"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)m*Z*erddl+m,Z,ddlm-Z-ddl m.Z.dZ/dZ0dZ1e/e0e1gZ2e0e1gZ3dZ4dZ5dZ6dZ7dZ8GddeZ9de:d e fd!Z;d"e9fd#Z<Gd$d%e=Z>Gd&d'e=Z?Gd(d)Z@Gd*d+ZAGd,d-ZBGd.d/ZCGd0d1ZDd2eEd3eFd4eEd5eEfd6ZGd7eeCd5eHfd8ZId9e:d:e:d;e:deFd;e:d5eFfd?ZKd@eFdAeFd>eeFd7eeCd5eeeFeFfeeFeFfff dBZLdCee:e fd5eeCfdDZMdEeFd7eeCd5eFfdFZNd"e9dGeEdHeeEdIe:d5ee:e ff dJZOdKee:e fd5eCfdLZPdGeEdHeEd5efdMZQ ded7eCdNee9dOee e:ge9fd5eEfdPZR dedQeEd7eCdNee9dRee e:ge9fd5eEf dSZSdTeEdNe9dIe:d5ee:eEffdUZTdNee9dIe:d5eeeEeeEee:ffdVZUdWeHdNee9dOee e:ge9fdXeEdYeFdZeFd[ee:e fd5eEfd\ZVdGeeEdHeeEd]eHd5eed^ed_ffd`ZWdQe:dNe9dIe:d5e:fdaZXdQe:dbdcdWeHdNee9dRee e:ge9fd5e:f ddZYy)fN) OrderedDict)BytesIO)dumpsloads)AnyCallableDictIOOptionalTuple TYPE_CHECKING)Protocol)default_backend)Cipher)AESGCM)AES)CBC)PKCS7)HttpResponseError)CaseInsensitiveDict)VERSION)decode_base64_to_bytes encode_base64)PipelineResponse)AEADEncryptionContext)PaddingContext1.0z2.0z2.1i@ zT{0} does not define a complete interface. Value of {1} is either missing or invalid.zTThe require_encryption flag is set, but encryption is not supported for this method.cHeZdZdedefdZdededefdZdefdZdefdZy) KeyEncryptionKeykeyreturncyN)selfr#s d/var/www/core.comfia.cic-ware.com/crm/lib/python3.12/site-packages/azure/storage/blob/_encryption.pywrap_keyzKeyEncryptionKey.wrap_key< algorithmcyr&r')r(r#r-s r) unwrap_keyzKeyEncryptionKey.unwrap_key?r+r,cyr&r'r(s r)get_kidzKeyEncryptionKey.get_kidBr+r,cyr&r'r1s r)get_key_wrap_algorithmz'KeyEncryptionKey.get_key_wrap_algorithmEr+r,N) __name__ __module__ __qualname__bytesr*strr/r2r4r'r,r)r"r":sG E e  e       r,r" param_nameparamc$|t|dy)Nz should not be None.) ValueError)r:r;s r)_validate_not_noner>Is }J<';<==r,kekct|drt|jsttj ddt|drt|j sttj ddt|drt|jsttj ddy)Nr*key encryption keyr2r4)hasattrcallabler*AttributeError_ERROR_OBJECT_INVALIDformatr2r4)r?s r)!_validate_key_encryption_key_wraprGNs 3 #8CLL+A299:NPZ[\\ 3 "(3;;*?299:NPYZ[[ 30 1#B\B\9]299:NPhijj:^r,c"eZdZdeeeffdZy)StorageEncryptionMixinkwargsc|jdd|_|jdd|_|jd|_|jd|_|jr&|jdk(rt j dyyy)Nrequire_encryptionFencryption_versionrkey_encryption_keykey_resolver_functionaThis client has been configured to use encryption with version 1.0. Version 1.0 is deprecated and no longer considered secure. It is highly recommended that you switch to using version 2.0. The version can be specified using the 'encryption_version' keyword.)getrLrMrNrOwarningswarn)r(rJs r)_configure_encryptionz,StorageEncryptionMixin._configure_encryptionYs"(**-A5"I"(**-A5"I"(**-A"B%+ZZ0G%H"  " "t'>'>%'G MMN O(H "r,N)r5r6r7r r9rrSr'r,r)rIrIXs ODcN Or,rIceZdZdZdZdZy)_EncryptionAlgorithmz> Specifies which client encryption algorithm is used. AES_CBC_256 AES_GCM_256N)r5r6r7__doc__rVrWr'r,r)rUrUes KKr,rUc(eZdZdZdedededdfdZy)_WrappedContentKeyzD Represents the envelope key details stored on the service. r- encrypted_keykey_idr$Ncvtd|td|td|||_||_||_y)z :param str algorithm: The algorithm used for wrapping. :param bytes encrypted_key: The encrypted content-encryption-key. :param str key_id: The key-encryption-key identifier string. r-r[r\N)r>r-r[r\)r(r-r[r\s r)__init__z_WrappedContentKey.__init__rs8 ; 2?M:8V,"* r,)r5r6r7rXr9r8r^r'r,r)rZrZms(#eSTr,rZc(eZdZdZdedededdfdZy)_EncryptedRegionInfoz` Represents the length of encryption elements. This is only used for Encryption V2. data_length nonce_length tag_lengthr$Ncvtd|td|td|||_||_||_y)a :param int data_length: The length of the encryption region data (not including nonce + tag). :param int nonce_length: The length of nonce used when encrypting. :param int tag_length: The length of the encryption tag. rarbrcN)r>rarbrc)r(rarbrcs r)r^z_EncryptedRegionInfo.__init__s9 =+6><8<4&($r,)r5r6r7rXintr^r'r,r)r`r`s) %C%s%%PT%r,r`c$eZdZdZdededdfdZy)_EncryptionAgentz Represents the encryption agent stored on the service. It consists of the encryption protocol version and encryption algorithm used. encryption_algorithmprotocolr$Ncbtd|td|t||_||_y)z :param _EncryptionAlgorithm encryption_algorithm: The algorithm used for encrypting the message contents. :param str protocol: The protocol version used for encryption. rhriN)r>r9rhri)r(rhris r)r^z_EncryptionAgent.__init__s/ 13GH:x0$'(<$=!  r,)r5r6r7rXrUr9r^r'r,r)rgrgs# !-A !S !UY !r,rgc FeZdZdZdeedeededede e e fddf d Z y) _EncryptionDatazG Represents the encryption data that is stored on the service. content_encryption_IVencrypted_region_infoencryption_agentwrapped_content_keykey_wrapping_metadatar$Nc8td|td||jtjk(r td|n5|jtjk(r td|n t d||_||_||_||_ ||_ y)a :param Optional[bytes] content_encryption_IV: The content encryption initialization vector. Required for AES-CBC (V1). :param Optional[_EncryptedRegionInfo] encrypted_region_info: The info about the autenticated block sizes. Required for AES-GCM (V2). :param _EncryptionAgent encryption_agent: The encryption agent. :param _WrappedContentKey wrapped_content_key: An object that stores the wrapping algorithm, the key identifier, and the encrypted key bytes. :param Dict[str, Any] key_wrapping_metadata: A dict containing metadata related to the key wrapping. rorprmrnzInvalid encryption algorithm.N) r>rhrUrVrWr=rmrnrorprq)r(rmrnrorprqs r)r^z_EncryptionData.__init__s, -/?@02EF  0 04H4T4T T 68M N  2 26J6V6V V 68M N<= =%:"%:" 0#6 %:"r,) r5r6r7rXr r8r`rgrZr r9rr^r'r,r)rlrlsV%;%-e_%;'(<=%;+%;0 %; $CH~ %;  %;r,rlc<eZdZdZdedeeddfdZd dedefdZy) GCMBlobEncryptionStreamz A stream that performs AES-GCM encryption on the given data as it's streamed. Data is read and encrypted in regions. The stream will use the same encryption key and will generate a guaranteed unique nonce for each encryption region. content_encryption_key data_streamr$NcJ||_||_d|_d|_d|_y)z :param bytes content_encryption_key: The encryption key to use. :param IO[bytes] data_stream: The data stream to read data from. rr,N)rurvoffsetcurrent nonce_counter)r(rurvs r)r^z GCMBlobEncryptionStream.__init__s*'=#&  r,sizect}|dk(rtjn|}|dkDrt|jdkDrkt |t|j}|j |jd||j|d|_|xj|z c_||z}|dkDry|jjt}t|dk(r |jSt||j|j|_|xjdz c_ |dkDr|jS)z Read data from the stream. Specify -1 to read all available data. :param int size: The amount of data to read. Defaults to -1 for all data. :return: The bytes read. :rtype: bytes rNr)rsysmaxsizelenryminwriterxrvread_GCM_REGION_DATA_LENGTHencrypt_data_v2rzrugetvalue)r(r{result remainingrdatas r)rzGCMBlobEncryptionStream.reads #'2:CKK4 !m4<< 1$9c$,,&78 T\\%401#||DE2  t# T! 1}'',,-DEt9>   /tT5G5GIdIde ""a'"'!m*  r,)r}) r5r6r7rXr8r r^rerr'r,r)rtrts= &+ Y    ! !e !r,rtrnoncer#r$ct|jtd}t|}|j||d}||zS)a Encrypts the given data using the given nonce and key using AES-GCM. The result includes the data in the form: nonce + ciphertext + tag. :param bytes data: The raw data to encrypt. :param int nonce: The nonce to use for encryption. :param bytes key: The encryption key to use for encryption. :return: The encrypted bytes in the form: nonce + ciphertext + tag. :rtype: bytes bigN)to_bytes_GCM_NONCE_LENGTHrencrypt)rrr# nonce_bytesaesgcmciphertext_with_tags r)rrs?..!2E:K C[F!..dDA , ,,r,encryption_datacTt|xr|jjtvS)a' Determine whether the given encryption data signifies version 2.0 or 2.1. :param Optional[_EncryptionData] encryption_data: The encryption data. Will return False if this is None. :return: True, if the encryption data indicates encryption V2, false otherwise. :rtype: bool )boolrori_ENCRYPTION_V2_PROTOCOLS)rs r)is_encryption_v2r)s& k_%E%E%N%NRj%j llr, user_agentmonikerrMrequest_optionsc|jdryd|}||vry|jd|}|d||d||d}|jdr|jdd|}||d<d|d<y)a% Modifies the request options to contain a user agent string updated with encryption information. Adds azstorage-clientsideencryption/ immediately proceeding the SDK descriptor. :param str user_agent: The existing User Agent to modify. :param str moniker: The specific SDK moniker. The modification will immediately proceed azsdk-python-{moniker}. :param str encryption_version: The version of encryption being used. :param Dict[str, Any] request_options: The reuqest options to add the user agent override to. user_agent_overwriteNzazstorage-clientsideencryption/z azsdk-python- rT)rPfind)rrrMr feature_flagindexs r) modify_user_agent_for_encryptionr5s 1255G4HILz! OOmG95 6Ev&' ~Qz%&7I6JKJ<('++L9:!J<H $.OL!.2O*+r,lengthc|tk(r |d|dzz zS|tk(r1ttz}t j |t z }|||zzStd)a. Get the adjusted size of the blob upload which accounts for extra encryption data (padding OR nonce + tag). :param int length: The plaintext data length. :param str encryption_version: The version of encryption being used. :return: The new upload size to use. :rtype: int r %Invalid encryption version specified.)_ENCRYPTION_PROTOCOL_V1_ENCRYPTION_PROTOCOL_V2r_GCM_TAG_LENGTHmathceilrr=)rrMencryption_data_lengthregionss r)get_adjusted_upload_sizerWsf44v{+,,44!2_!D))F%<<=#99:: < ==r,startendc0d\}}|||f||ffS|jjtk(r+||dz}||z}|dkDr |dz }|dz}|d|dzz }||z }n|jjtvrd|}}|j t d|jj }|jj}|jj}||z|z} ||z } |||z} | |z} | | z} || z }| }|||z} || zdz}| | z| zdz }||f||ffS)aA Gets the new download range and offsets into the decrypted data for the given user-specified range. The new download range will include all the data needed to decrypt the user-provided range and will include only full encryption regions. The offsets returned will be the offsets needed to fetch the user-requested data out of the full decrypted data. The end offset is different based on the encryption version. For V1, the end offset is offset from the end whereas for V2, the end offset is the ending index into the stream. V1: decrypted_data[start_offset : len(decrypted_data) - end_offset] V2: decrypted_data[start_offset : end_offset] :param int start: The user-requested start index. :param int end: The user-requested end index. :param Optional[int] length: The user-requested length. Only used for V1. :param Optional[_EncryptionData] encryption_data: The encryption data to determine version and sizes. :return: (new start, new end), (start offset, end offset) :rtype: Tuple[Tuple[int, int], Tuple[int, int]] )rrr r+Missing required metadata for Encryption V2r) rorirrrnr=rbrarc)rrrr start_offset end_offsetrbrarc region_lengthrequested_length region_num data_start region_starts r)&get_adjusted_download_range_and_offsetrls2 $L*s|lJ777''004KK   2:L \ !E qy"    sRxJ : C  ) ) 2 26N N#$cj  0 0 8JK K&<<II %;;GG $::EE ${2Z? ;  +-J#k1J% 5L :-L E ? +J%(881BC 3<, 3 33r,metadatacV t|}tt|dS#YyxYw)aE Parses the encryption data out of the given blob metadata. If metadata does not exist or there are parsing errors, this function will just return None. :param Dict[str, Any] metadata: The blob metadata parsed from the response. :return: The encryption data or None :rtype: Optional[_EncryptionData] encryptiondataN)r_dict_to_encryption_datar)rcase_insensitive_metadatas r)parse_encryption_datars3$7$A!'.GHX.Y(Z[[s!$(r{c||jzt|ro|jj}|jj}|jj}||z|z}t j ||z }|||zz}||z S|S)ai Adjusts the given blob size for encryption by subtracting the size of the encryption data (nonce + tag). This only has an affect for encryption V2. :param int size: The original blob size. :param Optional[_EncryptionData] encryption_data: The encryption data to determine version and sizes. :return: The new blob size. :rtype: int )rnrrbrarcrr)r{rrbrarcr num_regions metadata_sizes r)adjust_blob_size_for_encryptionrs #--9)&<<II %;;GG $::EE ${2Z? ii} 45 #|j'@A m## Kr,cekivversionc|tk(r|j|}nM|tk(r9tjj dd|z}|j|}n t dt }|j|d<t||d<|j|d<t }||d<|tk(rtj|d<n8|tk(r/tj|d<t }t|d <t|d <t } || d <|| d <|tk(rt|| d <n|tk(r| d<t ddtzi| d<| S)a Generates and returns the encryption metadata as a dict. :param KeyEncryptionKey kek: The key encryption key. See calling functions for more information. :param bytes cek: The content encryption key. :param Optional[bytes] iv: The initialization vector. Only required for AES-CBC. :param str version: The client encryption version used. :return: A dict containing all the encryption metadata. :rtype: Dict[str, Any] rKeyId EncryptedKey AlgorithmrEncryptionAlgorithm DataLength NonceLengthWrappedContentKeyEncryptionAgentContentEncryptionIVEncryptedRegionInfoEncryptionLibraryzPython KeyWrappingMetadata)rr*rencodeljustr=rr2rr4rUrVrWrrr) r?rrr wrapped_cekto_wraprprornencryption_data_dicts r)_generate_encryption_data_dictrsw"))ll3' + +)00288EBSHll7+ @AA&-#&;;= *7 *D''*'A'A'C $"}#*Z ))2F2R2R./ + +2F2R2R./ + .El+/@m,7B}0C,-.>*+))6CB6G23 + +6K232=?RT]`gTg>h2i./ r,rc |dd}|tvr td |d}t|dt |d|d}|d}t |d |d}d |vr|d }nd}d}d |vrt |d }d}d |vr|d }t |d |dt}t|||||} | S#t$r}td|d}~wwxYw)a' Converts the specified dictionary to an EncryptionData object for eventual use in decryption. :param dict encryption_data_dict: The dictionary containing the encryption data. :return: an _EncryptionData object built from the dictionary. :rtype: _EncryptionData rrzUnsupported encryption version.Nrrrrrrrrrr) _VALID_ENCRYPTION_PROTOCOLSr=KeyErrorrZrrgr`rrl) rriexcrprorq encryption_iv region_infornrs r)rr"sRE'(9::F 6 6>? ? 7//BC,-@-M-CDWXfDg-h-@-IK,,=>'(89N(O(8(DF 44 45J K $M 44./CDY/Z[ K 44 45J K*+@+N+@+O+:< &m&1&6&9&; =O G E:;DEsB,, C5 CCc\t}t|}t|}t|||S)aP Generates and returns an encryption cipher for AES CBC using the given cek and iv. :param bytes[] cek: The content encryption key for the cipher. :param bytes[] iv: The initialization vector for the cipher. :return: A cipher for encrypting in AES256 CBC. :rtype: ~cryptography.hazmat.primitives.ciphers.Cipher )rrrr)rrbackendr-modes r)_generate_AES_CBC_cipherrVs-GCI r7D )T7 ++r,rN key_resolvercltd|jj|jjt k(rtd|j n>|jjtvrtd|jn tdd}|||jj}| tdt|drt|jsttj!ddt|d rt|j"sttj!dd |jj|jk7r td |j#|jj|jj$}|jjtvr`|jjj'j)d d }|dt+|}||k7r td |t+|d}td||S)a Extracts and returns the content_encryption_key stored in the encryption_data object and performs necessary validation on all parameters. :param _EncryptionData encryption_data: The encryption metadata of the retrieved value. :param Optional[KeyEncryptionKey] key_encryption_key: The user-provided key-encryption-key. Must implement the following methods: wrap_key(key) - Wraps the specified key using an algorithm of the user's choice. get_key_wrap_algorithm() - Returns the algorithm used to wrap the specified symmetric key. get_kid() - Returns a string key id for this key-encryption-key. :param Optional[Callable[[str], KeyEncryptionKey]] key_resolver: A function used that, given a key_id, will return a key_encryption_key. Please refer to high-level service object instance variables for more details. :return: The content_encryption_key stored in the encryption_data object. :rtype: bytes r[rmrn.Specified encryption version is not supported.NzKUnable to decrypt. key_resolver and key_encryption_key cannot both be None.r2rAr/zUProvided or resolved key-encryption-key does not match the id of key used to encrypt.rrz@The encryption metadata is not valid and may have been modified.ru)r>rpr[rorirrmrrnr=r\rBrCr2rDrErFr/r-rrr)rrNrruversion_2_bytescek_version_bytess r)_validate_and_unwrap_cekrfs2(K(K(Y(YZ''004KK2O4Y4YZ  ) ) 2 26N N2O4Y4YZIJJ.2)/*M*M*T*TU!fgg %y 1BTB\B\9]299:NPYZ[[ %| 4HEWEbEbrrorirrmr=r decryptorupdatefinalizerunpadderrrnrbrerdecrypt)rrrNrrucipherrdecrypted_datar block_inforbrrrs r)_decrypt_messagersx:y'*5oGY[cd''004KK44HI I)*@/BgBgh$$& #**73i6H6H6JJ:&&("//.9HrGrosurandomrrpadderrr encryptorrrrtrr=rr) rrNrruinitialization_vectorrr padded_datarencrypted_datarencryption_streamrs r) encrypt_blobrs3.vt$+-?@%&89))!#B " 2)*@BWXs""$mmD)FOO,== $$& "))+69K9K9MM + +!#B $t}34JDQ*//1@AA45GI_5JGUO(2O$%  !> 11r,cd}d}d}|r\t|tjd}|tk(rtjd}t ||||}d|d<t |}|||fS)a Generates the encryption_metadata for the blob. :param Optional[KeyEncryptionKey] key_encryption_key: The key-encryption-key used to wrap the cek associate with this blob. :param str version: The client encryption version to use. :return: A tuple containing the cek and iv for this blob as well as the serialized encryption metadata for the blob. :rtype: (Optional[bytes], Optional[bytes], Optional[str]) Nrr rr)rGrrrrr)rNrrrurrs r)generate_blob_encryption_datar/sO! )*<=!#B - -$&JJrN !=>P9O9N9@ B2<-. 45 !#8/ IIr,rLcontentrrresponse_headersc tt|d}|jj } | t jt jfvr td|jj} | tvr tdt|||} | tk(rA|d} d} d}d|vr|d}|jd }|d jd }|d jd }t|d }t|d }|dk\r|dd} |dd}|dz}n |j} ||d z k(rd}nd}|j} | dk(rd}| tdt!| | }|j#}|j%||j'z}|r;t)dj+}|j%||j'z}||t-||z S| t.vrt-|}d }|j0 td|j0j2}|j0j4}|j0j6}||z|z}t9}||krXt;||}||||z}|d|}||d}t=| } | j?||d}!|jA|!||z }||krX|||Std#t$r}|r td||cYd}~Sd}~wwxYw)a Decrypts the given blob contents and returns only the requested range. :param bool require_encryption: Whether the calling blob service requires objects to be decrypted. :param Optional[KeyEncryptionKey] key_encryption_key: The user-provided key-encryption-key. Must implement the following methods: wrap_key(key) - Wraps the specified key using an algorithm of the user's choice. get_key_wrap_algorithm() - Returns the algorithm used to wrap the specified symmetric key. get_kid() - Returns a string key id for this key-encryption-key. :param key_resolver: The user-provided key resolver. Uses the kid string to return a key-encryption-key implementing the interface defined above. :type key_resolver: Optional[Callable[[str], KeyEncryptionKey]] :param bytes content: The encrypted blob content. :param int start_offset: The adjusted offset from the beginning of the *decrypted* content for the caller's data. :param int end_offset: The adjusted offset from the end of the *decrypted* content for the caller's data. :param Dict[str, Any] response_headers: A dictionary of response headers from the download request. Expected to include the 'x-ms-meta-encryptiondata' header if the blob was encrypted. :return: The decrypted blob content. :rtype: bytes zx-ms-meta-encryptiondatazEncryption required, but received data does not contain appropriate metadata.Data was either not encrypted or metadata has been lost.Nz0Specified encryption algorithm is not supported.rzx-ms-blob-typeFz content-rangerr-/rr TPageBlobz+Missing required metadata for Encryption V1rr)!rr Exceptionr=rorhrUrVrWrirrrsplitrermrrrrrrrrrnrbrarc bytearrayrrrextend)"rLrNrr rrr rrr-rru blob_typerunpad content_range end_range blob_sizerrr total_sizerxrbrarcrdecrypted_content process_sizeencrypted_regionrrrrs" r) decrypt_blobrQsVL259IJd9e3fg 00EEI,88:N:Z:Z[[KLL..77G11IJJ5oGY[gh))$%56 " . .,_=M*//4M)!,2237M)!,2237MM!,-IM!,-Ir!Sb\!"#," $::IM)E 66B  "E :JK K)*@"E$$& ""7+i.@.@.BB Sz**,Hoog.1B1B1DDG|S\J%>??**\   0 0 8JK K&<<II %;;GG $::EE ${2Z? %Kz!}j9L&vf|.CD %]l3E"2<="A 23F#^^E3FMN  $ $^ 4 l "Fz! !j99 E FFA  KLQT U sK K-K("K-(K- should_padrrcd}d}|;|9t||}|j}|rtdjnd}||fS)Nr)rrrr)rrrrrrs r)get_blob_encryptor_and_padderrsR I F 2>)#r2$$& (2s""$ f r,ctd|td|t||jd}|tk(rt j d}t j d}t ||}tdj}|j||jz}|j} | j|| jz} nd|tk(rPt j d}d}t j d} t|} | j| |d} | | z} n td t!| t#||||d }t%|S) a Encrypts the given plain text message using the given protocol version. Wraps the generated content-encryption-key using the user-provided key-encryption-key (kek). Returns a json-formatted string containing the encrypted message and the encryption metadata. :param str message: The plain text message to be encrypted. :param KeyEncryptionKey key_encryption_key: The user-provided key-encryption-key. Must implement the following methods: wrap_key(key) - Wraps the specified key using an algorithm of the user's choice. get_key_wrap_algorithm() - Returns the algorithm used to wrap the specified symmetric key. get_kid() - Returns a string key id for this key-encryption-key. :param str version: The client encryption version to use. :return: A json-formatted string containing the encrypted message and the encryption metadata. :rtype: str rrNutf-8rr rNrr)EncryptedMessageContentsEncryptionData)r>rGrrrrrrrrrrrrrr=rrr)rrNrmessage_as_bytesrurrrrrrrrcipertext_with_tag queue_messages r)encrypt_queue_messager's^*y'*+-?@%&89&nnW5))!#B " 2)*@BWXs""$mm$458II $$& "))+69K9K9MM + +!#B $ 2./$^^E3CTJ!33@AA2?~1N'EFXF\F[FM(OPM  r,responserc>|j} t|}t|d}t|d} t ||||jdS#tt f$r}|r t d||cYd}~Sd}~wwxYw#t$r} td|| | d} ~ wwxYw)a Returns the decrypted message contents from an EncryptedQueueMessage. If no encryption metadata is present, will return the unaltered message. :param str message: The JSON formatted QueueEncryptedMessage contents with all associated metadata. :param Any response: The pipeline response used to generate an error with. :param bool require_encryption: If set, will enforce that the retrieved messages are encrypted and decrypt them. :param Optional[KeyEncryptionKey] key_encryption_key: The user-provided key-encryption-key. Must implement the following methods: wrap_key(key) - Wraps the specified key using an algorithm of the user's choice. get_key_wrap_algorithm() - Returns the algorithm used to wrap the specified symmetric key. get_kid() - Returns a string key id for this key-encryption-key. :param Optional[Callable[[str], KeyEncryptionKey]] resolver: The user-provided key resolver. Uses the kid string to return a key-encryption-key implementing the interface defined above. :return: The plain text message from the queue message. :rtype: str r#r"zEncryption required, but received message does not contain appropriate metatadata. Message was either not encrypted or metadata was incorrect.Nr!zDecryption failed.)rr(error) http_responserrrrr=rdecoderr) rr(rLrNrdeserialized_messager decoded_datarr*s r)decrypt_queue_messager/2s<%%H/4W~23GHX3YZ-.BC].^_ $ o?QS[\ccdkll j !  NOTW X  $($ $$s4'AA?A<"A71A<7A<? BBB)NN)Zrrr~rQ collectionsriorjsonrrtypingrrr r r r r TypedOrderedDicttyping_extensionsrcryptography.hazmat.backendsr&cryptography.hazmat.primitives.ciphersr+cryptography.hazmat.primitives.ciphers.aeadr1cryptography.hazmat.primitives.ciphers.algorithmsr,cryptography.hazmat.primitives.ciphers.modesr&cryptography.hazmat.primitives.paddingrazure.core.exceptionsrazure.core.utilsr_versionr_sharedrrazure.core.pipelinerrrrr_ENCRYPTION_PROTOCOL_V2_1rrrrrrE(_ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTIONr"r9r>rGobjectrIrUrZr`rgrlrtr8rerrrrrrrrrrrrrrrrrr'r/r'r,r)rDs9 #KJJ2&89>A<830:4LE !68OQjk35NO)[)  x  >3>s> k+;k OV O 6 .%%0!!(*;*;Z6!6!r-%--%-E-& mh&? mD m333 3c3h 3  3D>S>c>c>*M4M4 M4 M4"/2 M48=U38_eTWY\T\o=]7^ M4`DcNx7P"#@Y^a48 8 8  UO8  8 #s( # 8 v14S>1o1h ,% ,U ,v ,$6:@DC"$C" !12C"8SE+;$;<=C" C"R6:<@ B B$B!!12Bx'7 789 B  BJ;2u;22B;2S;2UZ[^`e[eUf;2|J !12J J 8E?HUOXc] :;JDHG HG$%56HGx/?(?@AHG HG  HG  HGsCx.HG HGV  %    8+ ,h7G.H HI  C 3C