def handle_list_retirable_grants(data): if RETIRING_PRINCIPAL not in data: raise ValidationException("Retiring principal must be specified") grants = KMSBackend.get().grants limit = data.get("Limit", 50) if "Marker" in data: markers = KMSBackend.get().markers filtered = markers.get(data["Marker"], []) else: filtered = [ grant for grant in grants.values() if RETIRING_PRINCIPAL in grant and grant[RETIRING_PRINCIPAL] == data[RETIRING_PRINCIPAL] ] if len(filtered) <= limit: return {"Grants": filtered, "Truncated": False} markers = KMSBackend.get().markers in_limit = filtered[:limit] out_limit = filtered[limit:] marker_id = long_uid() markers[marker_id] = out_limit return {"Grants": in_limit, "Truncated": True, "NextMarker": marker_id}
def handle_list_grants(data): if KEY_ID not in data: raise ValidationException("KeyId must be specified") region_details = KMSBackend.get() verify_key_exists(data[KEY_ID]) limit = data.get("Limit", 50) if "Marker" in data: filtered = region_details.markers.get(data["Marker"], []) else: filtered = [ grant for grant in region_details.grants.values() if grant[KEY_ID] == data[KEY_ID] and filter_grant_id(grant, data) and filter_grantee_principal(grant, data) ] if len(filtered) <= limit: return {"Grants": filtered, "Truncated": False} in_limit = filtered[:limit] out_limit = filtered[limit:] marker_id = long_uid() region_details.markers[marker_id] = out_limit return {"Grants": in_limit, "Truncated": True, "NextMarker": marker_id}
def handle_revoke_grant(data): grants = KMSBackend.get().grants if GRANT_ID in data and KEY_ID in data and grants[data[GRANT_ID]][KEY_ID] == data[KEY_ID]: del grants[data[GRANT_ID]] return {} else: raise ValidationException("Grant ID, key ID must be specified")
def handle_retire_grant(data): grants = KMSBackend.get().grants if GRANT_ID in data and KEY_ID in data and grants[data[GRANT_ID]][KEY_ID] == data[KEY_ID]: del grants[data[GRANT_ID]] elif "GrantToken" in data: KMSBackend.get().grants = { grant_id: grant for grant_id, grant in grants.items() if data["GrantToken"] not in grant[GRANT_TOKENS] } else: raise ValidationException("Grant token OR (grant ID, key ID) must be specified") return {}
def verify_key_exists(key_id): try: aws_stack.connect_to_service("kms").describe_key(KeyId=key_id) # FIXME catch the proper exception except Exception: raise ValidationException(f"Invalid keyId {key_id}")