def test_prep_message_framed_message( self, mock_write_header, mock_prep_non_framed, mock_rostream, mock_derive_datakey, mock_encryption_materials_request ): mock_rostream.return_value = sentinel.plaintext_rostream test_encryptor = StreamEncryptor( source=self.mock_input_stream, materials_manager=self.mock_materials_manager, frame_length=self.mock_frame_length, source_length=5, encryption_context=VALUES['encryption_context'] ) test_encryptor.content_type = ContentType.FRAMED_DATA test_encryption_context = {aws_encryption_sdk.internal.defaults.ENCODED_SIGNER_KEY: sentinel.decoded_bytes} self.mock_encryption_materials.encryption_context = test_encryption_context self.mock_encryption_materials.encrypted_data_keys = self.mock_encrypted_data_keys test_encryptor._prep_message() mock_encryption_materials_request.assert_called_once_with( algorithm=test_encryptor.config.algorithm, encryption_context=VALUES['encryption_context'], plaintext_rostream=sentinel.plaintext_rostream, frame_length=test_encryptor.config.frame_length, plaintext_length=5 ) self.mock_materials_manager.get_encryption_materials.assert_called_once_with( request=mock_encryption_materials_request.return_value ) self.mock_validate_frame_length.assert_called_once_with( frame_length=self.mock_frame_length, algorithm=self.mock_encryption_materials.algorithm ) mock_derive_datakey.assert_called_once_with( source_key=self.mock_encryption_materials.data_encryption_key.data_key, algorithm=self.mock_encryption_materials.algorithm, message_id=VALUES['message_id'] ) assert test_encryptor._derived_data_key is mock_derive_datakey.return_value assert test_encryptor._header == MessageHeader( version=aws_encryption_sdk.internal.defaults.VERSION, type=aws_encryption_sdk.internal.defaults.TYPE, algorithm=self.mock_encryption_materials.algorithm, message_id=VALUES['message_id'], encryption_context=test_encryption_context, encrypted_data_keys=self.mock_encrypted_data_keys, content_type=test_encryptor.content_type, content_aad_length=0, header_iv_length=self.mock_encryption_materials.algorithm.iv_len, frame_length=self.mock_frame_length ) mock_write_header.assert_called_once_with() assert not mock_prep_non_framed.called assert test_encryptor._message_prepped
def test_prep_message_non_framed_message(self, mock_write_header, mock_prep_non_framed): test_encryptor = StreamEncryptor( source=self.mock_input_stream, key_provider=self.mock_key_provider, frame_length=self.mock_frame_length ) test_encryptor.content_type = ContentType.NO_FRAMING test_encryptor._prep_message() mock_prep_non_framed.assert_called_once_with()
def test_prep_message_non_framed_message(self, mock_write_header, mock_prep_non_framed): test_encryptor = StreamEncryptor( source=VALUES['data_128'], materials_manager=self.mock_materials_manager, frame_length=self.mock_frame_length ) test_encryptor.content_type = ContentType.NO_FRAMING test_encryptor._prep_message() mock_prep_non_framed.assert_called_once_with()
def test_prep_message_no_signer(self): self.mock_encryption_materials.algorithm = Algorithm.AES_128_GCM_IV12_TAG16 test_encryptor = StreamEncryptor( source=VALUES['data_128'], materials_manager=self.mock_materials_manager, frame_length=self.mock_frame_length, algorithm=Algorithm.AES_128_GCM_IV12_TAG16) test_encryptor.content_type = ContentType.FRAMED_DATA test_encryptor._prep_message() assert not self.mock_signer.called
def test_prep_message_no_max_encrypted_data_keys(self): test_encryptor = StreamEncryptor( source=io.BytesIO(self.plaintext), materials_manager=self.mock_materials_manager, frame_length=self.mock_frame_length, source_length=5, commitment_policy=self.mock_commitment_policy, ) self.mock_encryption_materials.encrypted_data_keys.__len__.return_value = 2**16 - 1 test_encryptor.content_type = ContentType.FRAMED_DATA test_encryptor._prep_message()
def test_prep_message_no_signer(self): test_encryptor = StreamEncryptor( source=self.mock_input_stream, key_provider=self.mock_key_provider, frame_length=self.mock_frame_length, algorithm=Algorithm.AES_128_GCM_IV12_TAG16 ) test_encryptor.content_type = ContentType.FRAMED_DATA test_encryptor._prep_message() assert not self.mock_signer.called assert test_encryptor._header.encryption_context == {}
def test_prep_message_no_master_keys(self): self.mock_key_provider.master_keys_for_encryption.return_value = sentinel.primary_master_key, set() test_encryptor = StreamEncryptor( source=io.BytesIO(self.plaintext), key_provider=self.mock_key_provider, frame_length=self.mock_frame_length, source_length=5, ) with pytest.raises(MasterKeyProviderError) as excinfo: test_encryptor._prep_message() excinfo.match("No Master Keys available from Master Key Provider")
def test_prep_message_no_master_keys(self): self.mock_key_provider.master_keys_for_encryption.return_value = sentinel.primary_master_key, set() test_encryptor = StreamEncryptor( source=self.mock_input_stream, key_provider=self.mock_key_provider, frame_length=self.mock_frame_length, source_length=5 ) with six.assertRaisesRegex(self, MasterKeyProviderError, 'No Master Keys available from Master Key Provider'): test_encryptor._prep_message()
def test_prep_message_primary_master_key_not_in_master_keys(self): self.mock_key_provider.master_keys_for_encryption.return_value = ( sentinel.unknown_primary_master_key, self.mock_master_keys_set) test_encryptor = StreamEncryptor(source=self.mock_input_stream, key_provider=self.mock_key_provider, frame_length=self.mock_frame_length, source_length=5) with six.assertRaisesRegex( self, MasterKeyProviderError, 'Primary Master Key not in provided Master Keys'): test_encryptor._prep_message()
def test_prep_message_algorithm_change(self): self.mock_encryption_materials.algorithm = Algorithm.AES_256_GCM_IV12_TAG16 test_encryptor = StreamEncryptor( source=self.mock_input_stream, materials_manager=self.mock_materials_manager, algorithm=Algorithm.AES_128_GCM_IV12_TAG16, source_length=128) with six.assertRaisesRegex( self, ActionNotAllowedError, 'Cryptographic materials manager provided algorithm suite differs from algorithm suite in request.*' ): test_encryptor._prep_message()
def test_prep_message_algorithm_change(self): self.mock_encryption_materials.algorithm = Algorithm.AES_256_GCM_IV12_TAG16 test_encryptor = StreamEncryptor( source=io.BytesIO(self.plaintext), materials_manager=self.mock_materials_manager, algorithm=Algorithm.AES_128_GCM_IV12_TAG16, source_length=128, ) with pytest.raises(ActionNotAllowedError) as excinfo: test_encryptor._prep_message() excinfo.match( "Cryptographic materials manager provided algorithm suite differs from algorithm suite in request.*" )
def test_prep_message_over_max_encrypted_data_keys(self): test_encryptor = StreamEncryptor( source=io.BytesIO(self.plaintext), materials_manager=self.mock_materials_manager, frame_length=self.mock_frame_length, source_length=5, commitment_policy=self.mock_commitment_policy, max_encrypted_data_keys=3, ) self.mock_encryption_materials.encrypted_data_keys.__len__.return_value = 4 test_encryptor.content_type = ContentType.FRAMED_DATA with pytest.raises(CustomMaximumValueExceeded) as excinfo: test_encryptor._prep_message() excinfo.match( "Number of encrypted data keys found larger than configured value")
def test_commitment_uncommitting_algorithm_allowed_by_policy(self): """Verifies that we can encrypt with an uncommitting algorithm with policy FORBID_ENCRYPT_REQUIRE_DECRYPT.""" algorithm = MagicMock(__class__=Algorithm, iv_len=12) algorithm.is_committing.return_value = False self.mock_encryption_materials.algorithm = algorithm test_encryptor = StreamEncryptor( source=VALUES["data_128"], materials_manager=self.mock_materials_manager, frame_length=self.mock_frame_length, algorithm=algorithm, commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT, ) test_encryptor._prep_message()
def test_prep_message_primary_master_key_not_in_master_keys(self): self.mock_key_provider.master_keys_for_encryption.return_value = ( sentinel.unknown_primary_master_key, self.mock_master_keys_set, ) test_encryptor = StreamEncryptor( source=io.BytesIO(self.plaintext), key_provider=self.mock_key_provider, frame_length=self.mock_frame_length, source_length=5, ) with pytest.raises(MasterKeyProviderError) as excinfo: test_encryptor._prep_message() excinfo.match("Primary Master Key not in provided Master Keys")
def test_prep_message_no_master_keys(self): self.mock_key_provider.master_keys_for_encryption.return_value = sentinel.primary_master_key, set( ) test_encryptor = StreamEncryptor( source=io.BytesIO(self.plaintext), key_provider=self.mock_key_provider, frame_length=self.mock_frame_length, source_length=5, commitment_policy=self.mock_commitment_policy, signature_policy=self.mock_signature_policy, ) test_encryptor.content_type = ContentType.FRAMED_DATA with pytest.raises(MasterKeyProviderError) as excinfo: test_encryptor._prep_message() excinfo.match("No Master Keys available from Master Key Provider")
def test_commitment_committing_algorithm_not_allowed_by_policy(self): """Verifies that we cannot encrypt with a committing algorithm with policy FORBID_ENCRYPT_REQUIRE_DECRYPT.""" algorithm = MagicMock(__class__=Algorithm) algorithm.is_committing.return_value = True test_encryptor = StreamEncryptor( source=VALUES["data_128"], materials_manager=self.mock_materials_manager, frame_length=self.mock_frame_length, algorithm=algorithm, commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT, ) with pytest.raises(ActionNotAllowedError) as excinfo: test_encryptor._prep_message() excinfo.match( "Configuration conflict. Cannot encrypt due to .* requiring only non-committed messages" )
def test_commitment_committing_algorithm_required_by_policy(self, policy): """Verifies that we can encrypt with a committing algorithm with policies that require commitment on encrypt.""" mock_kdf = MagicMock() mock_kdf.derive.return_value = b"somefakekey" algorithm = MagicMock(__class__=Algorithm, iv_len=12) algorithm.is_committing.return_value = True algorithm.kdf_type.return_value = mock_kdf self.mock_encryption_materials.algorithm = algorithm test_encryptor = StreamEncryptor( source=VALUES["data_128"], materials_manager=self.mock_materials_manager, frame_length=self.mock_frame_length, algorithm=algorithm, commitment_policy=policy, ) test_encryptor._prep_message()
def test_commitment_uncommitting_algorithm_not_allowed_by_policy( self, policy): """Verifies that we cannot encrypt with an uncommitting algorithm with policies that require commitment on encrypt.""" algorithm = MagicMock(__class__=Algorithm, iv_len=12) algorithm.is_committing.return_value = False self.mock_encryption_materials.algorithm = algorithm test_encryptor = StreamEncryptor( source=VALUES["data_128"], materials_manager=self.mock_materials_manager, frame_length=self.mock_frame_length, algorithm=algorithm, commitment_policy=policy, ) with pytest.raises(ActionNotAllowedError) as excinfo: test_encryptor._prep_message() excinfo.match( "Configuration conflict. Cannot encrypt due to .* requiring only committed messages" )
def test_prep_message_framed_message(self, mock_write_header, mock_prep_non_framed, mock_rostream): mock_rostream.return_value = sentinel.plaintext_rostream test_encryptor = StreamEncryptor( source=self.mock_input_stream, key_provider=self.mock_key_provider, frame_length=self.mock_frame_length, source_length=5 ) test_encryptor.content_type = ContentType.FRAMED_DATA test_encryptor._prep_message() self.mock_signer.assert_called_once_with(test_encryptor.config.algorithm) self.mock_signer_instance.encoded_public_key.assert_called_once_with() self.mock_codecs.decode.assert_called_once_with(sentinel.encoded_public_key) test_encryption_context = {aws_encryption_sdk.internal.defaults.ENCODED_SIGNER_KEY: sentinel.decoded_bytes} mock_rostream.assert_called_once_with(self.mock_input_stream) self.mock_prepare_data_keys.assert_called_once_with( key_provider=self.mock_key_provider, algorithm=test_encryptor.config.algorithm, encryption_context=test_encryption_context, plaintext_rostream=sentinel.plaintext_rostream, plaintext_length=5, data_key=test_encryptor.config.data_key ) assert test_encryptor._header == MessageHeader( version=aws_encryption_sdk.internal.defaults.VERSION, type=aws_encryption_sdk.internal.defaults.TYPE, algorithm=test_encryptor.config.algorithm, message_id=VALUES['message_id'], encryption_context=test_encryption_context, encrypted_data_keys=self.mock_encrypted_data_keys, content_type=test_encryptor.content_type, content_aad_length=0, header_iv_length=test_encryptor.config.algorithm.iv_len, frame_length=self.mock_frame_length ) mock_write_header.assert_called_once_with() assert not mock_prep_non_framed.called assert test_encryptor._message_prepped