Esempio n. 1
0
    def validate_config(self):
        """Validates the provided configuration."""
        if not self.config.key_ids:
            # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
            # //# The key id list MUST NOT be empty or null in strict mode.
            raise ConfigMismatchError(
                "To enable strict mode you must provide key ids")

        for key_id in self.config.key_ids:
            # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
            # //# The key id list MUST NOT contain any null or empty string values.
            if not key_id:
                raise ConfigMismatchError("Key ids must be valid AWS KMS ARNs")

        if self.config.discovery_filter:
            # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
            # //# A discovery filter MUST NOT be configured in strict mode.
            raise ConfigMismatchError(
                "To enable discovery mode, use a DiscoveryAwsKmsMasterKeyProvider"
            )

        if self.config.discovery_region:
            # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
            # //# A default MRK Region MUST NOT be configured in strict mode.
            raise ConfigMismatchError(
                "To enable MRK-aware discovery mode, use a MRKAwareDiscoveryAwsKmsMasterKeyProvider"
            )
Esempio n. 2
0
    def validate_config(self):
        """Validates the provided configuration."""
        if not self.config.key_ids:
            raise ConfigMismatchError(
                "To enable strict mode you must provide key ids")

        for key_id in self.config.key_ids:
            if not key_id:
                raise ConfigMismatchError("Key ids must be valid AWS KMS ARNs")

        if self.config.discovery_filter:
            raise ConfigMismatchError(
                "To enable discovery mode, use a DiscoveryAwsKmsMasterKeyProvider"
            )
Esempio n. 3
0
    def validate_config(self):
        """Validates the provided configuration."""
        if self.config.key_ids:
            raise ConfigMismatchError(
                "To explicitly identify which keys should be used, use a "
                "StrictAwsKmsMasterKeyProvider.")

        if self.config.discovery_filter:
            if not self.config.discovery_filter.account_ids or not self.config.discovery_filter.partition:
                raise ConfigMismatchError(
                    "When specifying a discovery filter you must include both account ids and "
                    "partition")
            for account in self.config.discovery_filter.account_ids:
                if not account:
                    raise ConfigMismatchError(
                        "When specifying a discovery filter, account ids must be non-empty "
                        "strings")
Esempio n. 4
0
 def validate_config(self):
     """Validates the provided configuration."""
     # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
     # //# In discovery mode
     # //# if a default MRK Region is not configured the AWS SDK Default Region
     # //# MUST be used.
     if not self.config.discovery_region:
         if not self.default_region:
             # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
             # //# If an AWS SDK Default Region can not be obtained
             # //# initialization MUST fail.
             raise ConfigMismatchError(
                 "Failed to determine default discovery region; please provide an explicit discovery_region"
             )
         self.config.discovery_region = self.default_region
Esempio n. 5
0
    def validate_config(self):
        """Validates the provided configuration."""
        if self.config.key_ids:
            # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
            # //# The key id list MUST be empty in discovery mode.
            raise ConfigMismatchError(
                "To explicitly identify which keys should be used, use a "
                "StrictAwsKmsMasterKeyProvider.")

        if self.config.discovery_filter:
            if not self.config.discovery_filter.account_ids or not self.config.discovery_filter.partition:
                raise ConfigMismatchError(
                    "When specifying a discovery filter you must include both account ids and "
                    "partition")
            for account in self.config.discovery_filter.account_ids:
                if not account:
                    raise ConfigMismatchError(
                        "When specifying a discovery filter, account ids must be non-empty "
                        "strings")

        if self.config.discovery_region:
            raise ConfigMismatchError(
                "To enable MRK-aware discovery mode, use a MRKAwareDiscoveryAwsKmsMasterKeyProvider."
            )
 def __new__(cls, **kwargs):
     instance = super(MasterKey, cls).__new__(cls, **kwargs)
     if instance.config.provider_id is not None:
         # Only allow override if provider_id is NOT set to non-None for the class
         if instance.provider_id is None:
             instance.provider_id = instance.config.provider_id
         elif instance.provider_id != instance.config.provider_id:
             raise ConfigMismatchError(
                 'Config provider_id does not match MasterKey provider_id: {config} != {instance}'.format(
                     config=instance.config.provider_id,
                     instance=instance.provider_id
                 )
             )
     instance.key_id = instance.config.key_id
     instance._key_index = {instance.key_id: instance}
     instance._members = [instance]
     return instance
Esempio n. 7
0
 def __new__(cls, **kwargs):
     """Performs universal prep work for all MasterKeys."""
     instance = super(MasterKey, cls).__new__(cls, **kwargs)
     if instance.config.provider_id is not None:
         # Only allow override if provider_id is NOT set to non-None for the class
         if instance.provider_id is None:
             instance.provider_id = instance.config.provider_id
         elif instance.provider_id != instance.config.provider_id:
             raise ConfigMismatchError(
                 'Config provider_id does not match MasterKey provider_id: {config} != {instance}'
                 .format(config=instance.config.provider_id,
                         instance=instance.provider_id))
     instance.key_id = instance.config.key_id
     instance._encrypt_key_index = {instance.key_id: instance}  # pylint: disable=protected-access
     # We cannot make any general statements about key_info, so specifically enforce that decrypt index is empty.
     instance._decrypt_key_index = {}  # pylint: disable=protected-access
     instance._members = [instance]  # pylint: disable=protected-access
     return instance
Esempio n. 8
0
    def validate_unique_mrks(self):
        """Make sure the set of configured key ids does not contain any related MRKs"""
        # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.6
        # //# All AWS KMS
        # //# key identifiers are be passed to Assert AWS KMS MRK are unique (aws-
        # //# kms-mrk-are-unique.md#Implementation) and the function MUST return
        # //# success.

        # //= compliance/framework/aws-kms/aws-kms-mrk-are-unique.txt#2.5
        # //# The caller MUST provide:

        # //= compliance/framework/aws-kms/aws-kms-mrk-are-unique.txt#2.5
        # //# If the list does not contain any multi-Region keys (aws-kms-key-
        # //# arn.md#identifying-an-aws-kms-multi-region-key) this function MUST
        # //# exit successfully.
        mrk_identifiers = filter(is_valid_mrk_identifier, self.config.key_ids)
        duplicate_ids = set()
        for key1, key2 in itertools.combinations(mrk_identifiers, 2):
            if key1 in duplicate_ids and key2 in duplicate_ids:
                pass
            if _key_resource_match(key1, key2):
                if key1 not in duplicate_ids:
                    duplicate_ids.add(key1)
                if key2 not in duplicate_ids:
                    duplicate_ids.add(key2)

        # //= compliance/framework/aws-kms/aws-kms-mrk-are-unique.txt#2.5
        # //# If there are zero duplicate resource ids between the multi-region
        # //# keys, this function MUST exit successfully

        # //= compliance/framework/aws-kms/aws-kms-mrk-are-unique.txt#2.5
        # //# If any duplicate multi-region resource ids exist, this function MUST
        # //# yield an error that includes all identifiers with duplicate resource
        # //# ids not only the first duplicate found.
        if len(duplicate_ids) > 0:
            raise ConfigMismatchError(
                "Configured key ids must be unique. Found related MRKs: {keys}"
                .format(keys=", ".join(duplicate_ids)))