def test_no_encryption_key_but_encryption_requested(actions, parametrized_item): signing_key = JceNameLocalDelegatedKey.generate("HmacSHA256", 256) cmp = StaticCryptographicMaterialsProvider(encryption_materials=RawEncryptionMaterials(signing_key=signing_key)) crypto_config = CryptoConfig( materials_provider=cmp, encryption_context=EncryptionContext(), attribute_actions=actions ) with pytest.raises(EncryptionError) as excinfo: encrypt_python_item(parametrized_item, crypto_config) excinfo.match("Attribute actions ask for some attributes to be encrypted but no encryption key is available")
def test_no_decryption_key_but_decryption_requested(actions, parametrized_item): encryption_key = JceNameLocalDelegatedKey.generate("AES", 256) signing_key = JceNameLocalDelegatedKey.generate("HmacSHA256", 256) encrypting_cmp = StaticCryptographicMaterialsProvider( encryption_materials=RawEncryptionMaterials( encryption_key=encryption_key, signing_key=signing_key)) decrypting_cmp = StaticCryptographicMaterialsProvider( decryption_materials=RawDecryptionMaterials( verification_key=signing_key)) encrypted_item = encrypt_python_item( parametrized_item, CryptoConfig(materials_provider=encrypting_cmp, encryption_context=EncryptionContext(), attribute_actions=actions), ) with pytest.raises(DecryptionError) as excinfo: decrypt_python_item( encrypted_item, CryptoConfig(materials_provider=decrypting_cmp, encryption_context=EncryptionContext(), attribute_actions=actions), ) excinfo.match( "Attribute actions ask for some attributes to be decrypted but no decryption key is available" )
def create_main_key(self, key_id: str, key_length=256, key_bytes=None) -> MainKey: index_key = {"key_id": key_id} if key_bytes is None: key_bytes = self._key_bytes_generator(key_length) plaintext_item = { "restricted": False, "on_hold": False, "key": key_bytes, } plaintext_item.update(index_key) encryption_context = EncryptionContext( table_name=self._table_name, partition_key_name="key_id", attributes=dict_to_ddb(index_key), ) crypto_config = CryptoConfig( materials_provider=self._materials_provider, encryption_context=encryption_context, attribute_actions=self._actions, ) encrypted_item = encrypt_python_item(plaintext_item, crypto_config) self._put_item(key_id=key_id, encrypted_item=encrypted_item) return MainKey( key_id=key_id, key_bytes=key_bytes, )
def cycle_item_check(plaintext_item, crypto_config): """Check that cycling (plaintext->encrypted->decrypted) an item has the expected results.""" ciphertext_item = encrypt_python_item(plaintext_item, crypto_config) check_encrypted_item(plaintext_item, ciphertext_item, crypto_config.attribute_actions) cycled_item = decrypt_python_item(ciphertext_item, crypto_config) assert cycled_item == plaintext_item del ciphertext_item del cycled_item
def test_only_sign_item(parametrized_item): signing_key = JceNameLocalDelegatedKey.generate("HmacSHA256", 256) cmp = StaticCryptographicMaterialsProvider( encryption_materials=RawEncryptionMaterials(signing_key=signing_key), decryption_materials=RawDecryptionMaterials(verification_key=signing_key), ) actions = AttributeActions(default_action=CryptoAction.SIGN_ONLY) crypto_config = CryptoConfig( materials_provider=cmp, encryption_context=EncryptionContext(), attribute_actions=actions ) signed_item = encrypt_python_item(parametrized_item, crypto_config) material_description = signed_item[ReservedAttributes.MATERIAL_DESCRIPTION.value].value assert MaterialDescriptionKeys.ATTRIBUTE_ENCRYPTION_MODE.value.encode("utf-8") not in material_description decrypt_python_item(signed_item, crypto_config)
def test_reserved_attributes_on_encrypt(static_cmp_crypto_config, item): with pytest.raises(EncryptionError) as exc_info: encrypt_python_item(item, static_cmp_crypto_config) exc_info.match(r"Reserved attribute name *")
def encrypt_item(table_name, aws_cmk_id): """Demonstrate use of EncryptedTable to transparently encrypt an item.""" index_key = { 'partition_attribute': 'is this', 'sort_attribute': 55 } plaintext_item = { 'example': 'data', 'some numbers': 99, 'and some binary': Binary(b'\x00\x01\x02'), 'leave me': 'alone' # We want to ignore this attribute } # Collect all of the attributes that will be encrypted (used later). encrypted_attributes = set(plaintext_item.keys()) encrypted_attributes.remove('leave me') # Collect all of the attributes that will not be encrypted (used later). unencrypted_attributes = set(index_key.keys()) unencrypted_attributes.add('leave me') # Add the index pairs to the item. plaintext_item.update(index_key) # Create a normal table resource. table = boto3.resource('dynamodb').Table(table_name) # Use the TableInfo helper to collect information about the indexes. table_info = TableInfo(name=table_name) table_info.refresh_indexed_attributes(table.meta.client) # Create a crypto materials provider using the specified AWS KMS key. aws_kms_cmp = AwsKmsCryptographicMaterialsProvider(key_id=aws_cmk_id) encryption_context = EncryptionContext( table_name=table_name, partition_key_name=table_info.primary_index.partition, sort_key_name=table_info.primary_index.sort, # The only attributes that are used by the AWS KMS cryptographic materials providers # are the primary index attributes. # These attributes need to be in the form of a DynamoDB JSON structure, so first # convert the standard dictionary. attributes=dict_to_ddb(index_key) ) # Create attribute actions that tells the encrypted table to encrypt all attributes, # only sign the primary index attributes, and ignore the one identified attribute to # ignore. actions = AttributeActions( default_action=CryptoAction.ENCRYPT_AND_SIGN, attribute_actions={'leave me': CryptoAction.DO_NOTHING} ) actions.set_index_keys(*table_info.protected_index_keys()) # Build the crypto config to use for this item. # When using the higher-level helpers, this is handled for you. crypto_config = CryptoConfig( materials_provider=aws_kms_cmp, encryption_context=encryption_context, attribute_actions=actions ) # Encrypt the plaintext item directly encrypted_item = encrypt_python_item(plaintext_item, crypto_config) # You could now put the encrypted item to DynamoDB just as you would any other item. # table.put_item(Item=encrypted_item) # We will skip this for the purposes of this example. # Decrypt the encrypted item directly decrypted_item = decrypt_python_item(encrypted_item, crypto_config) # Verify that all of the attributes are different in the encrypted item for name in encrypted_attributes: assert encrypted_item[name] != plaintext_item[name] assert decrypted_item[name] == plaintext_item[name] # Verify that all of the attributes that should not be encrypted were not. for name in unencrypted_attributes: assert decrypted_item[name] == encrypted_item[name] == plaintext_item[name]