def test_file_to_stdout_decrypt_required_encryption_context_fail(tmpdir, required_encryption_context):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
metadata_file = tmpdir.join("metadata")
encrypt_args = encrypt_args_template().format(source=str(plaintext), target=str(ciphertext))
decrypt_args = (
"aws-encryption-cli "
+ decrypt_args_template(metadata=True).format(
source=str(ciphertext), target="-", metadata=" --metadata-output " + str(metadata_file)
)
+ " --encryption-context "
+ required_encryption_context
)
aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
proc = Popen(shlex.split(decrypt_args, posix=not is_windows()), stdout=PIPE, stdin=PIPE, stderr=PIPE)
decrypted_output, stderr = proc.communicate()
# Verify that no output was written
assert decrypted_output == b""
# Verify the no exception was raised trying to delete verifiable non-existant "-" file,
# to verify that we did not attempt to do that
assert b"OSError" not in stderr # Python 2
assert b"FileNotFoundError" not in stderr # Python 3
raw_metadata = metadata_file.read()
parsed_metadata = json.loads(raw_metadata)
assert parsed_metadata["output"] == "<stdout>"
assert parsed_metadata["skipped"]
assert parsed_metadata["reason"] == "Missing encryption context key or value"
def test_cycle_discovery_true_filter_wrong_account(tmpdir):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
metadata = tmpdir.join("metadata")
encrypt_args = encrypt_args_template(metadata=True).format(
source=str(plaintext),
target=str(ciphertext),
metadata="--metadata-output " + str(metadata))
decrypt_args = decrypt_args_template(
metadata=True,
discovery=False).format(source=str(ciphertext),
target=str(decrypted),
metadata="--metadata-output " + str(metadata))
decrypt_args += " -w discovery=true discovery-account=1234 discovery-partition=aws"
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
message = aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
output_metadata = [json.loads(line) for line in metadata.readlines()]
for line in output_metadata:
for key, value in (("a", "b"), ("c", "d")):
assert line["header"]["encryption_context"][key] == value
assert output_metadata[0]["mode"] == "encrypt"
assert output_metadata[0]["input"] == str(plaintext)
assert output_metadata[0]["output"] == str(ciphertext)
assert "header_auth" not in output_metadata[0]
assert not decrypted.isfile()
assert "not allowed by this Master Key Provider" in message
def test_cycle_explicit_discovery_true_no_filter(tmpdir):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
metadata = tmpdir.join("metadata")
encrypt_args = encrypt_args_template(metadata=True).format(
source=str(plaintext),
target=str(ciphertext),
metadata="--metadata-output " + str(metadata))
decrypt_args = decrypt_args_template(metadata=True, discovery=True).format(
source=str(ciphertext),
target=str(decrypted),
metadata="--metadata-output " + str(metadata))
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
output_metadata = [json.loads(line) for line in metadata.readlines()]
for line in output_metadata:
for key, value in (("a", "b"), ("c", "d")):
assert line["header"]["encryption_context"][key] == value
assert output_metadata[0]["mode"] == "encrypt"
assert output_metadata[0]["input"] == str(plaintext)
assert output_metadata[0]["output"] == str(ciphertext)
assert "header_auth" not in output_metadata[0]
assert output_metadata[1]["mode"] == "decrypt"
assert output_metadata[1]["input"] == str(ciphertext)
assert output_metadata[1]["output"] == str(decrypted)
assert "header_auth" in output_metadata[1]
def test_file_to_file_base64(tmpdir, encode, decode):
plaintext = tmpdir.join("source_plaintext")
ciphertext_a = tmpdir.join("ciphertext-a")
ciphertext_b = tmpdir.join("ciphertext-b")
decrypted = tmpdir.join("decrypted")
plaintext_source = os.urandom(10240) # make sure we have more than one chunk
with open(str(plaintext), "wb") as f:
f.write(plaintext_source)
encrypt_flag = " --encode" if encode else ""
decrypt_flag = " --decode" if decode else ""
encrypt_args = encrypt_args_template().format(source=str(plaintext), target=str(ciphertext_a)) + encrypt_flag
decrypt_args = decrypt_args_template().format(source=str(ciphertext_b), target=str(decrypted)) + decrypt_flag
aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
if encode and not decode:
with open(str(ciphertext_a), "rb") as ct_a, open(str(ciphertext_b), "wb") as ct_b:
raw_ct = base64.b64decode(ct_a.read())
ct_b.write(raw_ct)
elif decode and not encode:
with open(str(ciphertext_a), "rb") as ct, open(str(ciphertext_b), "wb") as b64_ct:
b64_ct.write(base64.b64encode(ct.read()))
else:
shutil.copy2(str(ciphertext_a), str(ciphertext_b))
aws_encryption_sdk_cli.cli(shlex.split(decrypt_args, posix=not is_windows()))
with open(str(decrypted), "rb") as f:
decrypted_plaintext = f.read()
assert decrypted_plaintext == plaintext_source
def test_cycle_discovery_false_wrong_key_id(tmpdir):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
metadata = tmpdir.join("metadata")
encrypt_args = encrypt_args_template(metadata=True).format(
source=str(plaintext),
target=str(ciphertext),
metadata="--metadata-output " + str(metadata))
decrypt_args = decrypt_args_template(
metadata=True,
discovery=False).format(source=str(ciphertext),
target=str(decrypted),
metadata="--metadata-output " + str(metadata))
wrong_key = cmk_arn_value()[:-1]
decrypt_args += " -w discovery=false key=" + wrong_key
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
message = aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
output_metadata = [json.loads(line) for line in metadata.readlines()]
for line in output_metadata:
for key, value in (("a", "b"), ("c", "d")):
assert line["header"]["encryption_context"][key] == value
assert output_metadata[0]["mode"] == "encrypt"
assert output_metadata[0]["input"] == str(plaintext)
assert output_metadata[0]["output"] == str(ciphertext)
assert "header_auth" not in output_metadata[0]
assert not decrypted.isfile()
assert "Unable to decrypt any data key" in message
def test_cycle_decrypt_unsigned_fails_on_signed_message(tmpdir):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
metadata = tmpdir.join("metadata")
encrypt_args = encrypt_args_template(metadata=True).format(
source=str(plaintext),
target=str(ciphertext),
metadata="--metadata-output " + str(metadata))
# Use a signed algorithm for encryption
encrypt_args += " --algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY_ECDSA_P384"
decrypt_args = decrypt_unsigned_args_template(metadata=True).format(
source=str(ciphertext),
target=str(decrypted),
metadata="--metadata-output " + str(metadata))
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
message = aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
output_metadata = [json.loads(line) for line in metadata.readlines()]
for line in output_metadata:
for key, value in (("a", "b"), ("c", "d")):
assert line["header"]["encryption_context"][key] == value
assert output_metadata[0]["mode"] == "encrypt"
assert output_metadata[0]["input"] == str(plaintext)
assert output_metadata[0]["output"] == str(ciphertext)
assert "header_auth" not in output_metadata[0]
assert not decrypted.isfile()
assert "Cannot decrypt signed message in decrypt-unsigned mode" in message
def test_file_to_file_decrypt_unsigned_required_encryption_context_fail(
tmpdir, required_encryption_context):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
metadata_file = tmpdir.join("metadata")
decrypted = tmpdir.join("decrypted")
encrypt_args = encrypt_args_template().format(source=str(plaintext),
target=str(ciphertext))
# Use an unsigned algorithm for encryption
encrypt_args += " --algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY"
decrypt_args = (decrypt_unsigned_args_template(metadata=True).format(
source=str(ciphertext),
target=str(decrypted),
metadata=" --metadata-output " + str(metadata_file)) +
" --encryption-context " + required_encryption_context)
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
assert not decrypted.isfile()
raw_metadata = metadata_file.read()
parsed_metadata = json.loads(raw_metadata)
assert parsed_metadata["skipped"]
assert parsed_metadata[
"reason"] == "Missing encryption context key or value"
def test_file_to_stdout_decrypt_no_buffering_with_failure(tmpdir):
plaintext = tmpdir.join("source_plaintext")
# Use an input large enough that results in processing in several chunks
plaintext.write_binary(os.urandom(16384))
ciphertext = tmpdir.join("ciphertext")
encrypt_args = encrypt_args_template().format(source=str(plaintext),
target=str(ciphertext))
decrypt_args = "aws-encryption-cli " + decrypt_args_template(
buffer=False).format(source=str(ciphertext), target="-")
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
# Tamper with encryption result to get an error on decrypt
with open(str(ciphertext), "rb+") as f:
f.seek(-1, os.SEEK_END)
f.truncate()
# pylint: disable=consider-using-with
proc = Popen(shlex.split(decrypt_args, posix=not is_windows()),
stdout=PIPE,
stdin=PIPE,
stderr=PIPE)
decrypted_output, stderr = proc.communicate()
# Verify that output was not buffered and some output was written to stout
assert len(decrypted_output) > 0
assert b"Encountered unexpected error" in stderr
# Verify the no exception was raised trying to delete verifiable non-existant "-" file,
# to verify that we did not attempt to do that
assert b"OSError" not in stderr # Python 2
assert b"FileNotFoundError" not in stderr # Python 3
def test_dir_to_dir_cycle_custom_suffix(tmpdir):
plaintext_dir = tmpdir.mkdir("plaintext")
ciphertext_dir = tmpdir.mkdir("ciphertext")
decrypted_dir = tmpdir.mkdir("decrypted")
plaintext_dir.mkdir("a").mkdir("b")
plaintext_dir.mkdir("c")
for source_file_path in (["1"], ["a", "2"], ["a", "b", "3"], ["c", "4"]):
with open(os.path.join(str(plaintext_dir), *source_file_path),
"wb") as file:
file.write(os.urandom(1024))
encrypt_suffix = "THIS_IS_A_CUSTOM_SUFFIX"
encrypt_args = (encrypt_args_template().format(
source=str(plaintext_dir), target=str(ciphertext_dir)) + " -r" +
" --suffix " + encrypt_suffix)
decrypt_suffix = ".anotherSuffix"
decrypt_args = (decrypt_args_template().format(source=str(ciphertext_dir),
target=str(decrypted_dir)) +
" -r" + " --suffix " + decrypt_suffix)
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
for base_dir, _dirs, filenames in os.walk(str(plaintext_dir)):
for file in filenames:
plaintext_filename = os.path.join(base_dir, file)
decrypted_filename = (plaintext_filename.replace(
str(plaintext_dir), str(decrypted_dir)) + encrypt_suffix +
decrypt_suffix)
assert filecmp.cmp(plaintext_filename, decrypted_filename)
def test_glob_to_dir_cycle(tmpdir):
plaintext_dir = tmpdir.mkdir("plaintext")
ciphertext_dir = tmpdir.mkdir("ciphertext")
decrypted_dir = tmpdir.mkdir("decrypted")
for source_file_path in ("a.1", "b.2", "b.1", "c.1"):
with open(os.path.join(str(plaintext_dir), source_file_path),
"wb") as file:
file.write(os.urandom(1024))
suffix = ".1"
encrypt_args = (encrypt_args_template().format(
source=os.path.join(str(plaintext_dir), "*" + suffix),
target=str(ciphertext_dir)) + " -r")
decrypt_args = decrypt_args_template().format(
source=str(ciphertext_dir), target=str(decrypted_dir)) + " -r"
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
for base_dir, _dirs, filenames in os.walk(str(plaintext_dir)):
for file in filenames:
plaintext_filename = os.path.join(base_dir, file)
decrypted_filename = (plaintext_filename.replace(
str(plaintext_dir), str(decrypted_dir)) +
".encrypted.decrypted")
if plaintext_filename.endswith(suffix):
assert filecmp.cmp(plaintext_filename, decrypted_filename)
else:
assert not os.path.isfile(decrypted_filename)
def test_encrypt_verify_user_agent(tmpdir, kms_redacting_logger_stream):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
encrypt_args = encrypt_args_template().format(source=str(plaintext), target=str(ciphertext)) + " -vvvv"
aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
all_logs = kms_redacting_logger_stream.getvalue()
assert USER_AGENT_SUFFIX in all_logs
def test_file_to_file_cycle_with_caching(tmpdir):
plaintext = tmpdir.join("source_plaintext")
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
with open(str(plaintext), "wb") as f:
f.write(os.urandom(1024))
encrypt_args = encrypt_args_template(caching=True).format(source=str(plaintext), target=str(ciphertext))
decrypt_args = decrypt_args_template().format(source=str(ciphertext), target=str(decrypted))
aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
aws_encryption_sdk_cli.cli(shlex.split(decrypt_args, posix=not is_windows()))
assert filecmp.cmp(str(plaintext), str(decrypted))
def test_cli_unknown_error_capture_stacktrace(patch_process_cli_request, tmpdir, log_level, requested_log_level):
log_stream = kms_redacting_logger_stream(log_level)
plaintext = tmpdir.join("plaintext")
plaintext.write("some data")
message = "THIS IS A REASONABLY UNIQUE ERROR MESSAGE #&*Y(HJFIWE"
patch_process_cli_request.side_effect = Exception(message)
test = aws_encryption_sdk_cli.cli(
shlex.split(
"-Sd -i "
+ str(plaintext)
+ " -o "
+ str(tmpdir.join("ciphertext"))
+ " "
+ requested_log_level
+ " -w discovery=true region=us-west-2"
)
)
all_logs = log_stream.getvalue()
assert test.startswith("Encountered unexpected error: increase verbosity to see details.")
assert message in test
if log_level <= logging.DEBUG:
assert "Traceback" in all_logs
assert message in all_logs
else:
assert "Traceback" not in all_logs
assert message not in all_logs
def test_file_to_file_cycle_target_through_symlink(tmpdir):
plaintext = tmpdir.join("source_plaintext")
output_dir = tmpdir.mkdir("output")
os.symlink(str(output_dir), str(tmpdir.join("output_link")))
ciphertext = tmpdir.join("output_link", "ciphertext")
decrypted = tmpdir.join("decrypted")
with open(str(plaintext), "wb") as f:
f.write(os.urandom(1024))
encrypt_args = encrypt_args_template().format(source=str(plaintext), target=str(ciphertext))
decrypt_args = decrypt_args_template().format(source=str(ciphertext), target=str(decrypted))
aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
aws_encryption_sdk_cli.cli(shlex.split(decrypt_args, posix=not is_windows()))
assert filecmp.cmp(str(plaintext), str(decrypted))
def test_file_to_dir_cycle(tmpdir):
inner_dir = tmpdir.mkdir("inner")
plaintext = tmpdir.join("source_plaintext")
ciphertext = inner_dir.join("source_plaintext.encrypted")
decrypted = tmpdir.join("decrypted")
with open(str(plaintext), "wb") as f:
f.write(os.urandom(1024))
encrypt_args = encrypt_args_template().format(source=str(plaintext), target=str(inner_dir))
decrypt_args = decrypt_args_template().format(source=str(ciphertext), target=str(decrypted))
aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
assert os.path.isfile(str(ciphertext))
aws_encryption_sdk_cli.cli(shlex.split(decrypt_args, posix=not is_windows()))
assert filecmp.cmp(str(plaintext), str(decrypted))
def test_file_to_file_decrypt_required_encryption_context_success(tmpdir, required_encryption_context):
plaintext = tmpdir.join("source_plaintext")
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
with open(str(plaintext), "wb") as f:
f.write(os.urandom(1024))
encrypt_args = encrypt_args_template().format(source=str(plaintext), target=str(ciphertext))
decrypt_args = (
decrypt_args_template().format(source=str(ciphertext), target=str(decrypted))
+ " --encryption-context "
+ required_encryption_context
)
aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
aws_encryption_sdk_cli.cli(shlex.split(decrypt_args, posix=not is_windows()))
assert filecmp.cmp(str(plaintext), str(decrypted))
def test_encrypt_with_metadata_output_write_to_stdout(tmpdir, capsys):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
encrypt_args = encrypt_args_template(metadata=True).format(
source=str(plaintext), target=str(ciphertext), metadata="--metadata-output -"
)
aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
out, _err = capsys.readouterr()
output_metadata = json.loads(out)
for key, value in (("a", "b"), ("c", "d")):
assert output_metadata["header"]["encryption_context"][key] == value
assert output_metadata["mode"] == "encrypt"
assert output_metadata["input"] == str(plaintext)
assert output_metadata["output"] == str(ciphertext)
def test_encrypt_with_metadata_full_file_path(tmpdir):
plaintext_filename = "source_plaintext"
plaintext_file = tmpdir.join(plaintext_filename)
plaintext_file.write_binary(os.urandom(1024))
plaintext_file_full_path = str(plaintext_file)
ciphertext_filename = "ciphertext"
ciphertext_file = tmpdir.join(ciphertext_filename)
ciphertext_file_full_path = str(ciphertext_file)
metadata = tmpdir.join("metadata")
encrypt_args = encrypt_args_template(metadata=True).format(
source=plaintext_filename, target=ciphertext_filename, metadata="--metadata-output " + str(metadata)
)
with tmpdir.as_cwd():
aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
raw_metadata = metadata.read()
output_metadata = json.loads(raw_metadata)
assert output_metadata["input"] == plaintext_file_full_path
assert output_metadata["output"] == ciphertext_file_full_path
def test_cycle_discovery_true_filter_multiple_accounts_correct(tmpdir):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
metadata = tmpdir.join("metadata")
encrypt_args = encrypt_args_template(metadata=True).format(
source=str(plaintext),
target=str(ciphertext),
metadata="--metadata-output " + str(metadata))
decrypt_args = decrypt_args_template(metadata=True).format(
source=str(ciphertext),
target=str(decrypted),
metadata="--metadata-output " + str(metadata))
arn = cmk_arn_value().split(":")
account = arn[4]
partition = arn[1]
decrypt_args += (
" -w discovery=true discovery-account=123 discovery-account={account} discovery-partition={partition}"
.format(account=account, partition=partition))
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
output_metadata = [json.loads(line) for line in metadata.readlines()]
for line in output_metadata:
for key, value in (("a", "b"), ("c", "d")):
assert line["header"]["encryption_context"][key] == value
assert output_metadata[0]["mode"] == "encrypt"
assert output_metadata[0]["input"] == str(plaintext)
assert output_metadata[0]["output"] == str(ciphertext)
assert "header_auth" not in output_metadata[0]
assert output_metadata[1]["mode"] == "decrypt"
assert output_metadata[1]["input"] == str(ciphertext)
assert output_metadata[1]["output"] == str(decrypted)
assert "header_auth" in output_metadata[1]
def test_file_to_file_decrypt_unsigned_required_encryption_context_success(
tmpdir, required_encryption_context):
plaintext = tmpdir.join("source_plaintext")
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
with open(str(plaintext), "wb") as f:
f.write(os.urandom(1024))
encrypt_args = encrypt_args_template().format(source=str(plaintext),
target=str(ciphertext))
# Use an unsigned algorithm for encryption
encrypt_args += " --algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY"
decrypt_args = (decrypt_unsigned_args_template().format(
source=str(ciphertext), target=str(decrypted)) +
" --encryption-context " + required_encryption_context)
aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
assert filecmp.cmp(str(plaintext), str(decrypted))
def test_cycle_within_max_encrypted_data_keys(tmpdir, num_keys):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
extra_key_arg = " -w key={}".format(cmk_arn_value())
max_edks_arg = " --max-encrypted-data-keys {}".format(3)
encrypt_args = encrypt_args_template().format(source=str(plaintext),
target=str(ciphertext))
encrypt_args += max_edks_arg
encrypt_args += extra_key_arg * (num_keys - 1)
message = aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
assert message is None
decrypt_args = decrypt_args_template().format(source=str(ciphertext),
target=str(decrypted))
decrypt_args += max_edks_arg
message = aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
assert message is None
def test_file_overwrite_source_file_to_dir_custom_empty_prefix(tmpdir):
plaintext_source = os.urandom(2014)
plaintext = tmpdir.join("source_plaintext")
with open(str(plaintext), "wb") as f:
f.write(plaintext_source)
encrypt_args = encrypt_args_template().format(source=str(plaintext), target=str(tmpdir)) + " --suffix"
test_result = aws_encryption_sdk_cli.cli(shlex.split(encrypt_args, posix=not is_windows()))
assert test_result is None
with open(str(plaintext), "rb") as f:
assert f.read() == plaintext_source
def test_decrypt_over_max_encrypted_data_keys(tmpdir):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
decrypted = tmpdir.join("decrypted")
extra_key_arg = " -w key={}".format(cmk_arn_value())
max_edks_arg = " --max-encrypted-data-keys {}".format(3)
encrypt_args = encrypt_args_template().format(source=str(plaintext),
target=str(ciphertext))
encrypt_args += extra_key_arg * 3
message = aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
assert message is None
decrypt_args = decrypt_args_template().format(source=str(ciphertext),
target=str(decrypted))
decrypt_args += max_edks_arg
message = aws_encryption_sdk_cli.cli(
shlex.split(decrypt_args, posix=not is_windows()))
assert message is not None
assert "MaxEncryptedDataKeysExceeded" in message
assert "Number of encrypted data keys found larger than configured value" in message
def test_cli(patch_for_cli):
test = aws_encryption_sdk_cli.cli(sentinel.raw_args)
aws_encryption_sdk_cli.parse_args.assert_called_once_with(sentinel.raw_args)
aws_encryption_sdk_cli.setup_logger.assert_called_once_with(sentinel.verbosity, sentinel.quiet)
aws_encryption_sdk_cli.build_crypto_materials_manager_from_args.assert_called_once_with(
key_providers_config=sentinel.wrapping_keys, caching_config=sentinel.caching_config
)
aws_encryption_sdk_cli.stream_kwargs_from_args.assert_called_once_with(
aws_encryption_sdk_cli.parse_args.return_value, sentinel.crypto_materials_manager
)
aws_encryption_sdk_cli.process_cli_request.assert_called_once_with(
sentinel.stream_args, aws_encryption_sdk_cli.parse_args.return_value
)
assert test is None
def test_max_encrypted_data_key_valid_values(tmpdir, max_encrypted_data_keys,
is_valid):
plaintext = tmpdir.join("source_plaintext")
plaintext.write_binary(os.urandom(1024))
ciphertext = tmpdir.join("ciphertext")
encrypt_args = encrypt_args_template().format(source=str(plaintext),
target=str(ciphertext))
encrypt_args += " --max-encrypted-data-keys {}".format(
max_encrypted_data_keys)
message = aws_encryption_sdk_cli.cli(
shlex.split(encrypt_args, posix=not is_windows()))
if is_valid:
assert message is None
else:
assert "max_encrypted_data_keys cannot be less than 1" in message
def test_cli_unknown_error(patch_for_cli):
aws_encryption_sdk_cli.process_cli_request.side_effect = Exception()
test = aws_encryption_sdk_cli.cli()
assert test.startswith("Encountered unexpected ")
def test_cli_local_error(patch_for_cli):
aws_encryption_sdk_cli.process_cli_request.side_effect = AWSEncryptionSDKCLIError(
sentinel.error_message)
test = aws_encryption_sdk_cli.cli()
assert test is sentinel.error_message
