def test_add_master_keys_invalid_arn(self, non_arn): """Check that the provider throws an error when creating a new key with an invalid arn.""" # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7 # //= type=test # //# In discovery mode, the requested # //# AWS KMS key identifier MUST be a well formed AWS KMS ARN. provider = MRKAwareDiscoveryAwsKmsMasterKeyProvider( discovery_region="us-east-1") with pytest.raises(MalformedArnError): provider._new_master_key(non_arn)
def test_add_master_keys_mrk_sdk_default(self): """Check that an MRK-aware provider without an explicit discovery_region uses its default region when creating new keys if the requested keys are MRKs.""" grant_tokens = (sentinel.grant_token2, sentinel.grant_token2) original_arn = arn_from_str( "arn:aws:kms:eu-west-2:222222222222:key/mrk-aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb" ) with patch.object(self.mock_botocore_session, "get_config_variable", return_value="us-west-2") as mock_get_config: provider = MRKAwareDiscoveryAwsKmsMasterKeyProvider( botocore_session=self.mock_botocore_session, grant_tokens=grant_tokens) mock_get_config.assert_called_once_with("region") master_key = provider._new_master_key(original_arn.to_string()) # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7 # //= type=test # //# Otherwise if the mode is discovery then # //# the AWS Region MUST be the discovery MRK region. assert master_key.__class__ == MRKAwareKMSMasterKey self.mock_boto3_session.assert_called_with(botocore_session=ANY) self.mock_boto3_session_instance.client.assert_called_with( "kms", region_name=provider.default_region, config=provider._user_agent_adding_config, ) assert provider.default_region in master_key._key_id assert original_arn.region not in master_key._key_id assert master_key.config.grant_tokens is grant_tokens
def test_add_master_keys_mrk_with_discovery_region(self): """Check that an MRK-aware provider with an explicit discovery_region uses its configured region when creating new keys if the requested keys are MRKs.""" grant_tokens = (sentinel.grant_token2, sentinel.grant_token2) original_arn = arn_from_str( "arn:aws:kms:eu-west-2:222222222222:key/mrk-aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb" ) configured_region = "us-east-1" provider = MRKAwareDiscoveryAwsKmsMasterKeyProvider( discovery_region=configured_region, grant_tokens=grant_tokens) master_key = provider._new_master_key(original_arn.to_string()) # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7 # //= type=test # //# In discovery mode a AWS KMS MRK Aware Master Key (aws-kms-mrk-aware- # //# master-key.md) MUST be returned configured with assert master_key.__class__ == MRKAwareKMSMasterKey self.mock_boto3_session.assert_called_with(botocore_session=ANY) self.mock_boto3_session_instance.client.assert_called_with( "kms", region_name=configured_region, config=provider._user_agent_adding_config, ) assert configured_region in master_key._key_id assert original_arn.region not in master_key._key_id assert master_key.config.grant_tokens is grant_tokens
def test_add_master_keys_srk(self): """Check that the MRK-aware provider uses the original key region when creating new keys if the requested keys are SRKs.""" original_arn = "arn:aws:kms:eu-west-2:222222222222:key/aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb" provider = MRKAwareDiscoveryAwsKmsMasterKeyProvider( discovery_region="us-east-1") master_key = provider._new_master_key(original_arn) # //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key-provider.txt#2.7 # //= type=test # //# Otherwise if the requested AWS KMS key # //# identifier is identified as a multi-Region key (aws-kms-key- # //# arn.md#identifying-an-aws-kms-multi-region-key), then AWS Region MUST # //# be the region from the AWS KMS key ARN stored in the provider info # //# from the encrypted data key. assert master_key.__class__ == MRKAwareKMSMasterKey self.mock_boto3_session.assert_called_with(botocore_session=ANY) self.mock_boto3_session_instance.client.assert_called_with( "kms", region_name="eu-west-2", config=provider._user_agent_adding_config, ) assert master_key._key_id == original_arn