def test_zlib_compression_env_with_uncompressed_key(monkeypatch): extra_environment_variables = { 'bless_ca_default_password': '******', 'bless_ca_ca_private_key_compression': 'zlib', 'bless_ca_ca_private_key': base64.b64encode(b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), } for k, v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig('us-east-1', config_file='') with pytest.raises(zlib.error) as e: config.getprivatekey()
def test_wrong_compression_env_key(monkeypatch): extra_environment_variables = { 'bless_ca_default_password': '******', 'bless_ca_ca_private_key_compression': 'lzh', 'bless_ca_ca_private_key': str(base64.b64encode(b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), encoding='ascii') } for k, v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig('us-east-1', config_file='') with pytest.raises(ValueError) as e: config.getprivatekey() assert "Compression lzh is not supported." == str(e.value)
def test_zlib_compression_env_with_uncompressed_key(monkeypatch): extra_environment_variables = { "bless_ca_default_password": "******", "bless_ca_ca_private_key_compression": "zlib", "bless_ca_ca_private_key": str( base64.b64encode(b"<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>"), encoding="ascii", ), } for k, v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig("us-east-1", config_file="") with pytest.raises(zlib.error) as e: config.getprivatekey()
def test_config_environment_override(monkeypatch): extra_environment_variables = { 'bless_options_certificate_validity_after_seconds': '1', 'bless_options_certificate_validity_before_seconds': '1', 'bless_options_entropy_minimum_bits': '2', 'bless_options_random_seed_bytes': '3', 'bless_options_logging_level': 'DEBUG', 'bless_options_certificate_extensions': 'permit-X11-forwarding', 'bless_options_username_validation': 'debian', 'bless_options_remote_usernames_validation': 'useradd', 'bless_ca_us_east_1_password': '******', 'bless_ca_default_password': '******', 'bless_ca_ca_private_key_file': '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>', 'bless_ca_ca_private_key': str(base64.b64encode(b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), encoding='ascii'), 'kms_auth_use_kmsauth': 'True', 'kms_auth_kmsauth_key_id': '<INSERT_ARN>', 'kms_auth_kmsauth_serviceid': 'bless-test', } for k, v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig('us-east-1', config_file='') assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) assert 'DEBUG' == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) assert 'permit-X11-forwarding' == config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) assert 'debian' == config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION) assert 'useradd' == config.get(BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION) assert '<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword() assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>' == config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION) assert b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>' == config.getprivatekey() assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) assert '<INSERT_ARN>' == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION) assert 'bless-test' == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION) config.aws_region = 'invalid' assert '<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
def test_none_compression_env_key(monkeypatch): extra_environment_variables = { 'bless_ca_default_password': '******', 'bless_ca_ca_private_key_compression': 'none', 'bless_ca_ca_private_key': str(base64.b64encode(b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), encoding='ascii') } for k, v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig('us-east-1', config_file='') assert b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>' == config.getprivatekey( )
def test_config_environment_override(monkeypatch): extra_environment_variables = { 'bless_options_certificate_validity_after_seconds': '1', 'bless_options_certificate_validity_before_seconds': '1', 'bless_options_entropy_minimum_bits': '2', 'bless_options_random_seed_bytes': '3', 'bless_options_logging_level': 'DEBUG', 'bless_options_certificate_extensions': 'permit-X11-forwarding', 'bless_ca_us_east_1_password': '******', 'bless_ca_default_password': '******', 'bless_ca_ca_private_key_file': '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>', 'bless_ca_ca_private_key': base64.b64encode('<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), 'kms_auth_use_kmsauth': 'True', 'kms_auth_kmsauth_key_id': '<INSERT_ARN>', 'kms_auth_kmsauth_serviceid': 'bless-test', } for k,v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig('us-east-1', config_file='') assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) assert 'DEBUG' == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) assert 'permit-X11-forwarding' == config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) assert '<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword() assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>' == config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION) assert '<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>' == config.getprivatekey() assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) assert '<INSERT_ARN>' == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION) assert 'bless-test' == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION) config.aws_region = 'invalid' assert '<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>' == config.getpassword()
def lambda_handler(event, context=None, ca_private_key_password=None, entropy_check=True, config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS :param config_file: The config file to load the SSH CA private key from, and additional settings :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ # AWS Region determines configs related to KMS region = os.environ['AWS_REGION'] # Load the deployment config values config = BlessConfig(region, config_file=config_file) logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) numeric_level = getattr(logging, logging_level.upper(), None) if not isinstance(numeric_level, int): raise ValueError('Invalid log level: {}'.format(logging_level)) logger = logging.getLogger() logger.setLevel(numeric_level) certificate_validity_before_seconds = config.getint( BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) certificate_validity_after_seconds = config.getint( BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) ca_private_key = config.getprivatekey() password_ciphertext_b64 = config.getpassword() certificate_extensions = config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) # Process cert request schema = BlessSchema(strict=True) schema.context[USERNAME_VALIDATION_OPTION] = config.get( BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION) schema.context[REMOTE_USERNAMES_VALIDATION_OPTION] = config.get( BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION) try: request = schema.load(event).data except ValidationError as e: return error_response('InputValidationError', str(e)) logger.info( 'Bless lambda invoked by [user: {0}, bastion_ips:{1}, public_key: {2}, kmsauth_token:{3}]' .format(request.bastion_user, request.bastion_user_ip, request.public_key_to_sign, request.kmsauth_token)) # decrypt ca private key password if ca_private_key_password is None: kms_client = boto3.client('kms', region_name=region) try: ca_password = kms_client.decrypt( CiphertextBlob=base64.b64decode(password_ciphertext_b64)) ca_private_key_password = ca_password['Plaintext'] except ClientError as e: return error_response('ClientError', str(e)) # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: with open('/proc/sys/kernel/random/entropy_avail', 'r') as f: entropy = int(f.read()) logger.debug(entropy) if entropy < entropy_minimum_bits: logger.info( 'System entropy was {}, which is lower than the entropy_' 'minimum {}. Using KMS to seed /dev/urandom'.format( entropy, entropy_minimum_bits)) response = kms_client.generate_random( NumberOfBytes=random_seed_bytes) random_seed = response['Plaintext'] with open('/dev/urandom', 'w') as urandom: urandom.write(random_seed) # cert values determined only by lambda and its configs current_time = int(time.time()) test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION) if test_user and (request.bastion_user == test_user or request.remote_usernames == test_user): # This is a test call, the lambda will issue an invalid # certificate where valid_before < valid_after valid_before = current_time valid_after = current_time + 1 bypass_time_validity_check = True else: valid_before = current_time + certificate_validity_after_seconds valid_after = current_time - certificate_validity_before_seconds bypass_time_validity_check = False # Authenticate the user with KMS, if key is setup if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION): if request.kmsauth_token: try: validator = KMSTokenValidator( None, config.getkmsauthkeyids(), config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION), region) # decrypt_token will raise a TokenValidationError if token doesn't match validator.decrypt_token( "2/user/{}".format(request.remote_usernames), request.kmsauth_token) except TokenValidationError as e: return error_response('KMSAuthValidationError', str(e)) else: return error_response('InputValidationError', 'Invalid request, missing kmsauth token') # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, request.public_key_to_sign) for username in request.remote_usernames.split(','): cert_builder.add_valid_principal(username) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) if certificate_extensions: for e in certificate_extensions.split(','): if e: cert_builder.add_extension(e) else: cert_builder.clear_extensions() # cert_builder is needed to obtain the SSH public key's fingerprint key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format( context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before))) cert_builder.set_critical_option_source_addresses(request.bastion_ips) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file(bypass_time_validity_check) logger.info( 'Issued a cert to bastion_ips[{}] for remote_usernames[{}] with key_id[{}] and ' 'valid_from[{}])'.format( request.bastion_ips, request.remote_usernames, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)))) return success_response(cert)
def lambda_handler(event, context=None, ca_private_key_password=None, entropy_check=True, config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS :param config_file: The config file to load the SSH CA private key from, and additional settings :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ # AWS Region determines configs related to KMS region = os.environ['AWS_REGION'] # Load the deployment config values config = BlessConfig(region, config_file=config_file) logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) numeric_level = getattr(logging, logging_level.upper(), None) if not isinstance(numeric_level, int): raise ValueError('Invalid log level: {}'.format(logging_level)) logger = logging.getLogger() logger.setLevel(numeric_level) certificate_validity_before_seconds = config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) certificate_validity_after_seconds = config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) ca_private_key = config.getprivatekey() password_ciphertext_b64 = config.getpassword() certificate_extensions = config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) # Process cert request schema = BlessSchema(strict=True) schema.context[USERNAME_VALIDATION_OPTION] = config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION) schema.context[REMOTE_USERNAMES_VALIDATION_OPTION] = config.get(BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION) try: request = schema.load(event).data except ValidationError as e: return error_response('InputValidationError', str(e)) logger.info('Bless lambda invoked by [user: {0}, bastion_ips:{1}, public_key: {2}, kmsauth_token:{3}]'.format( request.bastion_user, request.bastion_user_ip, request.public_key_to_sign, request.kmsauth_token)) # decrypt ca private key password if ca_private_key_password is None: kms_client = boto3.client('kms', region_name=region) try: ca_password = kms_client.decrypt( CiphertextBlob=base64.b64decode(password_ciphertext_b64)) ca_private_key_password = ca_password['Plaintext'] except ClientError as e: return error_response('ClientError', str(e)) # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: with open('/proc/sys/kernel/random/entropy_avail', 'r') as f: entropy = int(f.read()) logger.debug(entropy) if entropy < entropy_minimum_bits: logger.info( 'System entropy was {}, which is lower than the entropy_' 'minimum {}. Using KMS to seed /dev/urandom'.format( entropy, entropy_minimum_bits)) response = kms_client.generate_random( NumberOfBytes=random_seed_bytes) random_seed = response['Plaintext'] with open('/dev/urandom', 'w') as urandom: urandom.write(random_seed) # cert values determined only by lambda and its configs current_time = int(time.time()) test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION) if test_user and (request.bastion_user == test_user or request.remote_usernames == test_user): # This is a test call, the lambda will issue an invalid # certificate where valid_before < valid_after valid_before = current_time valid_after = current_time + 1 bypass_time_validity_check = True else: valid_before = current_time + certificate_validity_after_seconds valid_after = current_time - certificate_validity_before_seconds bypass_time_validity_check = False # Authenticate the user with KMS, if key is setup if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION): if request.kmsauth_token: # Allow bless to sign the cert for a different remote user than the name of the user who signed it allowed_remotes = config.get(KMSAUTH_SECTION, KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION) if allowed_remotes: allowed_users = allowed_remotes.split(',') requested_remotes = request.remote_usernames.split(',') if allowed_users != ['*'] and not all([u in allowed_users for u in requested_remotes]): return error_response('KMSAuthValidationError', 'unallowed remote_usernames [{}]'.format(request.remote_usernames)) elif request.remote_usernames != request.bastion_user: return error_response('KMSAuthValidationError', 'remote_usernames must be the same as bastion_user') try: validator = KMSTokenValidator( None, config.getkmsauthkeyids(), config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION), region ) # decrypt_token will raise a TokenValidationError if token doesn't match validator.decrypt_token( "2/user/{}".format(request.bastion_user), request.kmsauth_token ) except TokenValidationError as e: return error_response('KMSAuthValidationError', str(e)) else: return error_response('InputValidationError', 'Invalid request, missing kmsauth token') # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, request.public_key_to_sign) for username in request.remote_usernames.split(','): cert_builder.add_valid_principal(username) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) if certificate_extensions: for e in certificate_extensions.split(','): if e: cert_builder.add_extension(e) else: cert_builder.clear_extensions() # cert_builder is needed to obtain the SSH public key's fingerprint key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format( context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before))) cert_builder.set_critical_option_source_addresses(request.bastion_ips) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file(bypass_time_validity_check) logger.info( 'Issued a cert to bastion_ips[{}] for remote_usernames[{}] with key_id[{}] and ' 'valid_from[{}])'.format( request.bastion_ips, request.remote_usernames, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)))) return success_response(cert)
def test_config_environment_override(monkeypatch): extra_environment_variables = { "bless_options_certificate_validity_after_seconds": "1", "bless_options_certificate_validity_before_seconds": "1", "bless_options_server_certificate_validity_after_seconds": "1", "bless_options_server_certificate_validity_before_seconds": "1", "bless_options_hostname_validation": "disabled", "bless_options_entropy_minimum_bits": "2", "bless_options_random_seed_bytes": "3", "bless_options_logging_level": "DEBUG", "bless_options_certificate_extensions": "permit-X11-forwarding", "bless_options_username_validation": "debian", "bless_options_remote_usernames_validation": "useradd", "bless_ca_us_east_1_password": "******", "bless_ca_default_password": "******", "bless_ca_ca_private_key_file": "<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>", "bless_ca_ca_private_key": str( base64.b64encode(b"<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>"), encoding="ascii", ), "kms_auth_use_kmsauth": "True", "kms_auth_kmsauth_key_id": "<INSERT_ARN>", "kms_auth_kmsauth_serviceid": "bless-test", } for k, v in extra_environment_variables.items(): monkeypatch.setenv(k, v) # Create an empty config, everything is set in the environment config = BlessConfig("us-east-1", config_file="") assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) assert 1 == config.getint(BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) assert 2 == config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) assert 3 == config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) assert "DEBUG" == config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) assert "permit-X11-forwarding" == config.get( BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) assert "debian" == config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION) assert "disabled" == config.get(BLESS_OPTIONS_SECTION, HOSTNAME_VALIDATION_OPTION) assert "useradd" == config.get(BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION) assert ("<INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>" == config.getpassword()) assert "<INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>" == config.get( BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION) assert b"<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>" == config.getprivatekey( ) assert config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION) assert "<INSERT_ARN>" == config.get(KMSAUTH_SECTION, KMSAUTH_KEY_ID_OPTION) assert "bless-test" == config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION) config.aws_region = "invalid" assert ("<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>" == config.getpassword())