def test_read_header_no_verifier(self, mock_derive_datakey, mock_decrypt_materials_request, mock_verifier): self.mock_materials_manager.decrypt_materials.return_value = MagicMock( data_key=VALUES["data_key_obj"], verification_key=None ) test_decryptor = StreamDecryptor(materials_manager=self.mock_materials_manager, source=self.mock_input_stream) test_decryptor.key_provider = self.mock_key_provider test_decryptor.source_stream = self.mock_input_stream test_decryptor._stream_length = len(VALUES["data_128"]) test_decryptor._read_header() assert test_decryptor.verifier is None
def test_read_header_no_verifier(self, mock_init): self.mock_verifier_from_header.return_value = None mock_init.return_value = None test_decryptor = StreamDecryptor( key_provider=self.mock_key_provider, source=self.mock_input_stream ) test_decryptor.key_provider = self.mock_key_provider test_decryptor.source_stream = self.mock_input_stream test_decryptor._stream_length = len(VALUES['data_128']) test_decryptor._read_header()
def test_read_header_frame_too_large(self, mock_derive_datakey): self.mock_header.content_type = ContentType.FRAMED_DATA self.mock_header.frame_length = 1024 ct_stream = io.BytesIO(VALUES["data_128"]) test_decryptor = StreamDecryptor(key_provider=self.mock_key_provider, source=ct_stream, max_body_length=10) test_decryptor.key_provider = self.mock_key_provider test_decryptor.source_stream = ct_stream test_decryptor._stream_length = len(VALUES["data_128"]) with pytest.raises(CustomMaximumValueExceeded) as excinfo: test_decryptor._read_header() excinfo.match( "Frame Size in header found larger than custom value: {found} > {custom}".format(found=1024, custom=10) )
def test_read_header_frame_too_large(self, mock_init, mock_derive_datakey): self.mock_header.content_type = ContentType.FRAMED_DATA self.mock_header.frame_length = 1024 mock_init.return_value = None ct_stream = io.BytesIO(VALUES['data_128']) test_decryptor = StreamDecryptor(key_provider=self.mock_key_provider, source=ct_stream, max_body_length=10) test_decryptor.key_provider = self.mock_key_provider test_decryptor.source_stream = ct_stream test_decryptor._stream_length = len(VALUES['data_128']) with six.assertRaisesRegex( self, CustomMaximumValueExceeded, 'Frame Size in header found larger than custom value: {found} > {custom}' .format(found=1024, custom=10)): test_decryptor._read_header()
def test_commitment_uncommitting_algorithm_policy_allows( self, mock_derive_datakey, mock_decrypt_materials_request, mock_verifier, policy): """Verifies that we can successfully read the header on a message encrypted with an algorithm that does not provide commitment when the policy allows it.""" self.mock_header.algorithm = MagicMock( __class__=Algorithm, iv_len=12, is_committing=MagicMock(return_value=False)) test_decryptor = StreamDecryptor( materials_manager=self.mock_materials_manager, source=self.mock_input_stream, commitment_policy=policy, ) test_decryptor._read_header() self.mock_deserialize_header.assert_called_once_with( self.mock_input_stream) self.mock_compare_digest.assert_not_called()
def test_commitment_uncommitting_algorithm_policy_requires_encrypt( self, mock_derive_datakey, mock_decrypt_materials_request, mock_verifier): """Verifies that we emit the correct exception on a message encrypted with an algorithm that does not provide commitment when the policy requires commitment.""" self.mock_header.algorithm = MagicMock( __class__=Algorithm, iv_len=12, is_committing=MagicMock(return_value=False)) test_decryptor = StreamDecryptor( materials_manager=self.mock_materials_manager, source=self.mock_input_stream, commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, ) with pytest.raises(ActionNotAllowedError) as excinfo: test_decryptor._read_header() excinfo.match( "Configuration conflict. Cannot decrypt due to .* requiring only committed messages" )
def test_commitment_committing_algorithm_policy_allows_check_fails( self, mock_derive_datakey, mock_decrypt_materials_request, mock_verifier): """Verifies that when the commitment check fails for a committing algorithm on decrypt, we emit the correct exception.""" self.mock_compare_digest.return_value = False self.mock_header.algorithm = MagicMock( __class__=Algorithm, iv_len=12, is_committing=MagicMock(return_value=True)) test_decryptor = StreamDecryptor( materials_manager=self.mock_materials_manager, source=self.mock_input_stream, commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT, ) with pytest.raises(MasterKeyProviderError) as excinfo: test_decryptor._read_header() excinfo.match("Key commitment validation failed")
def test_commitment_committing_algorithm_policy_allows_check_passes( self, mock_derive_datakey, mock_decrypt_materials_request, mock_verifier, policy): """Verifies that when the commitment check passes for a committing algorithm on decrypt, we successfully read the header.""" self.mock_header.algorithm = MagicMock( __class__=Algorithm, iv_len=12, is_committing=MagicMock(return_value=True)) test_decryptor = StreamDecryptor( materials_manager=self.mock_materials_manager, source=self.mock_input_stream, commitment_policy=policy, ) test_decryptor.key_provider = self.mock_key_provider test_decryptor.source_stream = self.mock_input_stream test_decryptor._stream_length = len(VALUES["data_128"]) test_decryptor._read_header() self.mock_deserialize_header.assert_called_once_with( self.mock_input_stream)
def test_read_header(self, mock_derive_datakey, mock_decrypt_materials_request, mock_verifier): mock_verifier_instance = MagicMock() mock_verifier.from_key_bytes.return_value = mock_verifier_instance ct_stream = io.BytesIO(VALUES["data_128"]) mock_commitment_policy = MagicMock(__class__=CommitmentPolicy) test_decryptor = StreamDecryptor( materials_manager=self.mock_materials_manager, source=ct_stream, commitment_policy=mock_commitment_policy, ) test_decryptor.source_stream = ct_stream test_decryptor._stream_length = len(VALUES["data_128"]) test_header, test_header_auth = test_decryptor._read_header() self.mock_deserialize_header.assert_called_once_with(ct_stream) mock_verifier.from_key_bytes.assert_called_once_with( algorithm=self.mock_header.algorithm, key_bytes=sentinel.verification_key) mock_decrypt_materials_request.assert_called_once_with( encrypted_data_keys=sentinel.encrypted_data_keys, algorithm=self.mock_header.algorithm, encryption_context=sentinel.encryption_context, commitment_policy=mock_commitment_policy, ) self.mock_materials_manager.decrypt_materials.assert_called_once_with( request=mock_decrypt_materials_request.return_value) mock_verifier_instance.update.assert_called_once_with( self.mock_raw_header) self.mock_deserialize_header_auth.assert_called_once_with( version=self.mock_header.version, stream=ct_stream, algorithm=self.mock_header.algorithm, verifier=mock_verifier_instance, ) mock_derive_datakey.assert_called_once_with( source_key=VALUES["data_key_obj"].data_key, algorithm=self.mock_header.algorithm, message_id=self.mock_header.message_id, ) assert test_decryptor._derived_data_key is mock_derive_datakey.return_value self.mock_validate_header.assert_called_once_with( header=self.mock_header, header_auth=sentinel.header_auth, raw_header=self.mock_raw_header, data_key=mock_derive_datakey.return_value, ) assert test_header is self.mock_header assert test_header_auth is sentinel.header_auth
def test_read_header(self, mock_init, mock_derive_datakey, mock_decrypt_materials_request, mock_verifier): mock_verifier_instance = MagicMock() mock_verifier.from_key_bytes.return_value = mock_verifier_instance mock_init.return_value = None ct_stream = io.BytesIO(VALUES['data_128']) test_decryptor = StreamDecryptor( materials_manager=self.mock_materials_manager, source=ct_stream) test_decryptor.source_stream = ct_stream test_decryptor._stream_length = len(VALUES['data_128']) test_header, test_header_auth = test_decryptor._read_header() self.mock_deserialize_header.assert_called_once_with(ct_stream) mock_verifier.from_key_bytes.assert_called_once_with( algorithm=self.mock_header.algorithm, key_bytes=sentinel.verification_key) mock_decrypt_materials_request.assert_called_once_with( encrypted_data_keys=sentinel.encrypted_data_keys, algorithm=self.mock_header.algorithm, encryption_context=sentinel.encryption_context) self.mock_materials_manager.decrypt_materials.assert_called_once_with( request=mock_decrypt_materials_request.return_value) mock_verifier_instance.update.assert_called_once_with(b'') self.mock_deserialize_header_auth.assert_called_once_with( stream=ct_stream, algorithm=self.mock_header.algorithm, verifier=mock_verifier_instance) mock_derive_datakey.assert_called_once_with( source_key=VALUES['data_key_obj'].data_key, algorithm=self.mock_header.algorithm, message_id=self.mock_header.message_id) assert test_decryptor._derived_data_key is mock_derive_datakey.return_value self.mock_validate_header.assert_called_once_with( header=self.mock_header, header_auth=sentinel.header_auth, stream=ct_stream, header_start=0, header_end= 0, # Because we mock out deserialize_header, this stays at the start of the stream data_key=mock_derive_datakey.return_value) assert test_header is self.mock_header assert test_header_auth is sentinel.header_auth
def test_read_header(self, mock_init): mock_verifier = MagicMock() self.mock_verifier_from_header.return_value = mock_verifier mock_init.return_value = None ct_stream = io.BytesIO(VALUES['data_128']) test_decryptor = StreamDecryptor( key_provider=self.mock_key_provider, source=ct_stream ) test_decryptor.key_provider = self.mock_key_provider test_decryptor.source_stream = ct_stream test_decryptor._stream_length = len(VALUES['data_128']) test_header, test_header_auth = test_decryptor._read_header() self.mock_deserialize_header.assert_called_once_with(ct_stream) self.mock_verifier_from_header.assert_called_once_with(self.mock_header) mock_verifier.update.assert_called_once_with(b'') self.mock_deserialize_header_auth.assert_called_once_with( stream=ct_stream, algorithm=sentinel.algorithm, verifier=mock_verifier ) self.mock_key_provider.decrypt_data_key_from_list.assert_called_once_with( encrypted_data_keys=sentinel.encrypted_data_keys, algorithm=sentinel.algorithm, encryption_context=sentinel.encryption_context ) self.mock_validate_header.assert_called_once_with( header=self.mock_header, header_auth=sentinel.header_auth, stream=ct_stream, header_start=0, header_end=0, # Because we mock out deserialize_header, this stays at the start of the stream data_key=VALUES['data_key_obj'] ) assert test_header is self.mock_header assert test_header_auth is sentinel.header_auth