def test_config_bare(self):
test = KMSMasterKeyConfig(
key_id=VALUES['arn'],
client=self.mock_client
)
assert test.client is self.mock_client
assert test.grant_tokens == ()
def test_config_grant_tokens(self):
test = KMSMasterKeyConfig(
key_id=VALUES['arn'],
client=self.mock_client,
grant_tokens=self.mock_grant_tokens
)
assert test.grant_tokens is self.mock_grant_tokens
def apply_fixture(self):
self.mock_client = MagicMock()
self.mock_client.__class__ = botocore.client.BaseClient
self.mock_client.generate_data_key.return_value = {
"Plaintext": VALUES["data_key"],
"CiphertextBlob": VALUES["encrypted_data_key"],
"KeyId": VALUES["arn_str"],
}
self.mock_client.encrypt.return_value = {
"CiphertextBlob": VALUES["encrypted_data_key"],
"KeyId": VALUES["arn"]
}
self.mock_client.decrypt.return_value = {
"Plaintext": VALUES["data_key"],
"KeyId": VALUES["arn_str"]
}
self.mock_algorithm = MagicMock()
self.mock_algorithm.__class__ = Algorithm
self.mock_algorithm.data_key_len = sentinel.data_key_len
self.mock_algorithm.kdf_input_len = sentinel.kdf_input_len
self.mock_data_key = MagicMock()
self.mock_data_key.data_key = VALUES["data_key"]
self.mock_encrypted_data_key = MagicMock()
self.mock_encrypted_data_key.encrypted_data_key = VALUES[
"encrypted_data_key"]
self.mock_encrypted_data_key.key_provider.key_info = VALUES["arn_str"]
self.mock_data_key_len_check_patcher = patch(
"aws_encryption_sdk.internal.utils.source_data_key_length_check")
self.mock_data_key_len_check = self.mock_data_key_len_check_patcher.start(
)
self.mock_grant_tokens = (sentinel.grant_token_1,
sentinel.grant_token_2)
self.mock_kms_mkc_1 = KMSMasterKeyConfig(key_id=VALUES["arn"],
client=self.mock_client)
self.mock_kms_mkc_2 = KMSMasterKeyConfig(
key_id=VALUES["arn"],
client=self.mock_client,
grant_tokens=self.mock_grant_tokens)
self.mock_kms_mkc_3 = KMSMasterKeyConfig(key_id="ex_key_info",
client=self.mock_client)
yield
# Run tearDown
self.mock_data_key_len_check_patcher.stop()
def setUp(self):
self.mock_client = MagicMock()
self.mock_client.__class__ = botocore.client.BaseClient
self.mock_client.generate_data_key.return_value = {
'Plaintext': VALUES['data_key'],
'CiphertextBlob': VALUES['encrypted_data_key'],
'KeyId': VALUES['arn']
}
self.mock_client.encrypt.return_value = {
'CiphertextBlob': VALUES['encrypted_data_key'],
'KeyId': VALUES['arn']
}
self.mock_client.decrypt.return_value = {
'Plaintext': VALUES['data_key'],
'KeyId': VALUES['arn']
}
self.mock_algorithm = MagicMock()
self.mock_algorithm.__class__ = Algorithm
self.mock_algorithm.data_key_len = sentinel.data_key_len
self.mock_algorithm.kdf_input_len = sentinel.kdf_input_len
self.mock_data_key = MagicMock()
self.mock_data_key.data_key = VALUES['data_key']
self.mock_encrypted_data_key = MagicMock()
self.mock_encrypted_data_key.encrypted_data_key = VALUES['encrypted_data_key']
self.mock_data_key_len_check_patcher = patch('aws_encryption_sdk.internal.utils.source_data_key_length_check')
self.mock_data_key_len_check = self.mock_data_key_len_check_patcher.start()
self.mock_grant_tokens = (sentinel.grant_token_1, sentinel.grant_token_2)
self.mock_kms_mkc_1 = KMSMasterKeyConfig(
key_id=VALUES['arn'],
client=self.mock_client
)
self.mock_kms_mkc_2 = KMSMasterKeyConfig(
key_id=VALUES['arn'],
client=self.mock_client,
grant_tokens=self.mock_grant_tokens
)
self.mock_kms_mkc_3 = KMSMasterKeyConfig(
key_id='ex_key_info',
client=self.mock_client
)
def test_decrypt_data_key_unsuccessful_non_mrk_provider_different_region(
self):
"""For non MRK-aware key providers, related MRKs are not treated as equivalent and decryption should fail."""
# Config uses the MRK in region 1
config = KMSMasterKeyConfig(key_id=VALUES["mrk_arn_region1"],
client=self.mock_client)
test = KMSMasterKey(config=config)
# EDK contains the related MRK in region 2
self.mock_encrypted_data_key.key_provider.key_info = VALUES[
"mrk_arn_region2"]
with pytest.raises(DecryptKeyError) as excinfo:
test._decrypt_data_key(
encrypted_data_key=self.mock_encrypted_data_key,
algorithm=self.mock_algorithm)
excinfo.match(
"Cannot decrypt EDK wrapped by .*, because it does not match this provider"
)
def test_attributes_defaults():
test = KMSMasterKeyConfig(key_id=b"a cmk",
client=boto3.client("kms",
region_name="us-west-2"))
assert test.grant_tokens == ()
def test_attributes_converts():
test = KMSMasterKeyConfig(
key_id='',
client=MagicMock(__class__=botocore.client.BaseClient),
grant_tokens=[sentinel.token_1, sentinel.token_2])
assert test.grant_tokens == (sentinel.token_1, sentinel.token_2)
def test_attributes_defaults():
test = KMSMasterKeyConfig(
key_id='', client=MagicMock(__class__=botocore.client.BaseClient))
assert test.grant_tokens == ()
def test_attributes_fail():
with pytest.raises(TypeError):
KMSMasterKeyConfig(key_id='', client=None)
def test_attributes_defaults():
test = KMSMasterKeyConfig(key_id=b'a cmk',
client=boto3.client('kms',
region_name='us-west-2'))
assert test.grant_tokens == ()
def test_init_kms_master_key(self, key_id):
self.mock_client.meta.config.user_agent_extra = sentinel.user_agent_extra
config = KMSMasterKeyConfig(key_id=key_id, client=self.mock_client)
test = KMSMasterKey(config=config)
assert test._key_id == key_id
def test_config_default_client(self):
"""KMSMasterKeys do not require passing a client."""
test = KMSMasterKeyConfig(key_id=VALUES["arn"])
arn = arn_from_str(VALUES["arn_str"])
assert test.client._client_config.region_name == arn.region