def test_owns_data_key_owned_same_region(self):
"""The MRK Aware Master Key owns a data key when the arn exactly matches its configured ARN."""
config = MRKAwareKMSMasterKeyConfig(key_id=self.mrk_region1,
client=self.mock_client)
test = MRKAwareKMSMasterKey(config=config)
mock_data_key = MagicMock()
mock_data_key.key_provider = MagicMock()
mock_data_key.key_provider.provider_id = "aws-kms"
mock_data_key.key_provider.key_info = self.mrk_region1
assert test.owns_data_key(data_key=mock_data_key)
def test_owns_data_key_not_owned_wrong_provider(self):
"""The MRK Aware Master Key does not own a data key when the provider doesn't match."""
config = MRKAwareKMSMasterKeyConfig(key_id=self.mrk_region1,
client=self.mock_client)
test = MRKAwareKMSMasterKey(config=config)
mock_data_key = MagicMock()
mock_data_key.key_provider = MagicMock()
mock_data_key.key_provider.provider_id = "another_provider"
mock_data_key.key_provider.key_info = self.mrk_region1
assert not test.owns_data_key(data_key=mock_data_key)
def test_owns_data_key_not_owned_wrong_key_id(self):
"""The MRK Aware Master Key does not own a data key when the key arn is not a related MRK of its
configured ARN."""
config = MRKAwareKMSMasterKeyConfig(key_id=self.mrk_region1,
client=self.mock_client)
test = MRKAwareKMSMasterKey(config=config)
mock_data_key = MagicMock()
mock_data_key.key_provider = MagicMock()
mock_data_key.key_provider.provider_id = "aws-kms"
mock_data_key.key_provider.key_info = VALUES["arn"]
assert not test.owns_data_key(data_key=mock_data_key)
def test_owns_data_key_owned_different_region(self):
"""The MRK Aware Master Key owns a data key when the arn refers to a related MRK of its configured ARN."""
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.9
# //= type=test
# //# To match the encrypted data key's
# //# provider ID MUST exactly match the value "aws-kms" and the the
# //# function AWS KMS MRK Match for Decrypt (aws-kms-mrk-match-for-
# //# decrypt.md#implementation) called with the configured AWS KMS key
# //# identifier and the encrypted data key's provider info MUST return
# //# "true".
config = MRKAwareKMSMasterKeyConfig(key_id=self.mrk_region1,
client=self.mock_client)
test = MRKAwareKMSMasterKey(config=config)
mock_data_key = MagicMock()
mock_data_key.key_provider = MagicMock()
mock_data_key.key_provider.provider_id = "aws-kms"
mock_data_key.key_provider.key_info = self.mrk_region2
assert test.owns_data_key(data_key=mock_data_key)
def test_decrypt_data_key_failure_kms_returns_wrong_mrk(self):
"""For an MRK-aware provider, if KMS returns the MRK from the EDK rather than the MRK we called it with,
we should fail."""
# Config uses MRK for region 1
config = MRKAwareKMSMasterKeyConfig(key_id=self.mrk_region1,
client=self.mock_client)
test = MRKAwareKMSMasterKey(config=config)
# KMS returns the MRK for region 2
self.mock_client.decrypt.return_value = {
"Plaintext": VALUES["data_key"],
"KeyId": self.mrk_region2
}
self.mock_encrypted_data_key.key_provider.key_info = self.mrk_region2
with pytest.raises(DecryptKeyError) as excinfo:
test._decrypt_data_key(
encrypted_data_key=self.mock_encrypted_data_key,
algorithm=sentinel.algorithm)
excinfo.match("AWS KMS returned unexpected key_id")
def test_decrypt_data_key_successful_mrk_provider_different_regions(self):
"""For MRK-aware key providers, we should successfully decrypt using a related MRK."""
# Config and KMS use the MRK in region 1
config = MRKAwareKMSMasterKeyConfig(key_id=VALUES["mrk_arn_region1"],
client=self.mock_client)
test = MRKAwareKMSMasterKey(config=config)
self.mock_client.decrypt.return_value = {
"Plaintext": VALUES["data_key"],
"KeyId": VALUES["mrk_arn_region1_str"],
}
# EDK contains the related MRK in region 2
self.mock_encrypted_data_key.key_provider.key_info = VALUES[
"mrk_arn_region2"]
test._decrypt_data_key(encrypted_data_key=self.mock_encrypted_data_key,
algorithm=self.mock_algorithm)
self.mock_client.decrypt.assert_called_once_with(
CiphertextBlob=VALUES["encrypted_data_key"],
KeyId=VALUES["mrk_arn_region1_str"])
def test_init_mrk_kms_master_key_invalid_id(self, key_id):
# //= compliance/framework/aws-kms/aws-kms-mrk-aware-master-key.txt#2.6
# //= type=test
# //# The AWS KMS
# //# key identifier MUST be a valid identifier (aws-kms-key-arn.md#a-
# //# valid-aws-kms-identifier).
self.mock_client.meta.config.user_agent_extra = sentinel.user_agent_extra
config = MRKAwareKMSMasterKeyConfig(key_id=key_id,
client=self.mock_client)
with pytest.raises(MalformedArnError) as excinfo:
MRKAwareKMSMasterKey(config=config)
excinfo.match(
"Resource {key} could not be parsed as an ARN".format(key=key_id))
def test_init_mrk_kms_master_key(self, key_id):
self.mock_client.meta.config.user_agent_extra = sentinel.user_agent_extra
config = MRKAwareKMSMasterKeyConfig(key_id=key_id,
client=self.mock_client)
test = MRKAwareKMSMasterKey(config=config)
assert test._key_id == key_id