def test_aws_kms_discovery_keyring_on_decrypt_existing_data_key(caplog):
# In this context there are no KMS CMKs, so any calls to KMS will fail.
caplog.set_level(logging.DEBUG)
keyring = _AwsKmsDiscoveryKeyring(client_supplier=DefaultClientSupplier())
initial_materials = DecryptionMaterials(
algorithm=ALGORITHM,
encryption_context={},
data_encryption_key=RawDataKey(
key_provider=MasterKeyInfo(provider_id="foo", key_info=b"bar"), data_key=os.urandom(ALGORITHM.kdf_input_len)
),
)
result_materials = keyring.on_decrypt(
decryption_materials=initial_materials,
encrypted_data_keys=(
EncryptedDataKey(
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=b"foo"), encrypted_data_key=b"bar"
),
),
)
assert result_materials.data_encryption_key == initial_materials.data_encryption_key
log_data = caplog.text
# This means that it did NOT try to decrypt the EDK.
assert "Unable to decrypt encrypted data key from" not in log_data
def test_aws_kms_discovery_keyring_on_encrypt():
keyring = _AwsKmsDiscoveryKeyring(client_supplier=DefaultClientSupplier())
initial_materials = EncryptionMaterials(algorithm=ALGORITHM, encryption_context={})
result_materials = keyring.on_encrypt(initial_materials)
assert result_materials is initial_materials
assert len(result_materials.encrypted_data_keys) == 0
def test_aws_kms_discovery_keyring_on_decrypt_fail(caplog):
# In this context there are no KMS CMKs, so any calls to KMS will fail.
caplog.set_level(logging.DEBUG)
keyring = _AwsKmsDiscoveryKeyring(client_supplier=DefaultClientSupplier())
initial_materials = DecryptionMaterials(algorithm=ALGORITHM, encryption_context={},)
result_materials = keyring.on_decrypt(
decryption_materials=initial_materials,
encrypted_data_keys=(
EncryptedDataKey(
key_provider=MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=b"bar"), encrypted_data_key=b"bar"
),
),
)
assert result_materials.data_encryption_key is None
log_data = caplog.text
# This means that it did actually try to decrypt the EDK but encountered an error talking to KMS.
assert "Unable to decrypt encrypted data key from" in log_data
def test_aws_kms_discovery_keyring_on_decrypt(encryption_materials_for_discovery_decrypt):
generator_key_id, encryption_materials = encryption_materials_for_discovery_decrypt
decrypting_keyring = _AwsKmsDiscoveryKeyring(client_supplier=DefaultClientSupplier())
initial_decryption_materials = DecryptionMaterials(
algorithm=encryption_materials.algorithm, encryption_context=encryption_materials.encryption_context
)
result_materials = decrypting_keyring.on_decrypt(
decryption_materials=initial_decryption_materials, encrypted_data_keys=encryption_materials.encrypted_data_keys
)
assert result_materials is not initial_decryption_materials
assert result_materials.data_encryption_key is not None
generator_flags = _matching_flags(
MasterKeyInfo(provider_id=KEY_NAMESPACE, key_info=generator_key_id), result_materials.keyring_trace
)
assert KeyringTraceFlag.DECRYPTED_DATA_KEY in generator_flags
assert KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT in generator_flags
def test_aws_kms_discovery_keyring_invalid_parameters(kwargs):
with pytest.raises(TypeError):
_AwsKmsDiscoveryKeyring(**kwargs)