load("@rules_python//python:defs.bzl", "py_binary")
load("@pip_deps//:requirements.bzl", "requirement")

package(default_visibility = ["//visibility:private"])

licenses(["notice"])

py_binary(
    name = "encrypted_keyset",
    srcs = ["encrypted_keyset.py"],
    python_version = "PY3",
    deps = [
        requirement("absl-py"),
        "@tink_py//tink:tink_python",
        "@tink_py//tink/aead",
        "@tink_py//tink/integration/gcpkms",
    ],
)

# In order to run this test, you'd have to use your own Cloud KMS key and credential.
sh_test(
    name = "encrypted_keyset_test",
    size = "small",
    srcs = ["encrypted_keyset_test.sh"],
    args = [
        "$(rootpath :encrypted_keyset)",
        # Change this to your key.
        "gcp-kms://projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key",
        # Change this to your credential.
        "$(rootpath //testdata/gcp:credential.json)",
    ],
    data = [
        ":encrypted_keyset",
        "@google_root_pem//file",
        # Change this to your credential.
        "//testdata/gcp:credential.json",
    ],
    tags = ["manual"],
)

# This runs the previous test, assuming the Tink python package has been
# installed previously with pip3 install.
sh_test(
    name = "encrypted_keyset_test_package",
    size = "small",
    srcs = ["encrypted_keyset_test.sh"],
    args = [
        "'python3 $(rootpath :encrypted_keyset.py)'",
        # Change this to your key.
        "gcp-kms://projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key",
        # Change this to your credential.
        "$(rootpath //testdata/gcp:credential.json)",
    ],
    data = [
        ":encrypted_keyset.py",
        "@google_root_pem//file",
        # Change this to your credential.
        "//testdata/gcp:credential.json",
    ],
    tags = ["manual"],
)